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Ongoing Labs o Latest Additions: 925 


Our team has been working hard to get these to you! 


Community Labs 


Challenge III Challenge II 


EARN CREDENTIALS EA Level: Eas A Sta ^ pun) Level: Eas | 
7 E 3 E i | ~ Ῥ Nes 
Badges badge-tshark-basics, 4 days agc | badge-tshark-basics, 4 days agc 
THE BASICS 
3 Challenge | Metasploit CTF | 
Network Recon > AB, : i i : 
wt = » Level: Eas | Stal Level: Eas | 7 Star 
Real World Webapps badge-tshark-basics, 4 days agc metasploit-ctf, 12 days ago 


Traffic Analysis 


νυ x86 64 Assembly Lab: GUI Access x86 64 Assembly Lab: CLI Access 


Metasploit € Level: Eas —. b Sta ) Level: Eas | "Star 
pa-assembly-x86-64-video-labs, 18 days ago pa-assembly-x86-64-video-labs, 19 days ago 


Offensive Python ) ys ag 


Network Pivoting 


Talk Overview 


e VolP Basics 
— SIP, RTP 
— Secure: TLS, SRTP 


* Recovering/Decrypting VoIP Calls 


* Current open source tools and issues 


* VolPShark 
— Architecture and Internals 
— Analyzing VoIP Traffic 
— Recovering Calls 
— Detecting Attacks Passively 
— Demo 
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VoIP Telephony 


* Signalling * Media 


SIP Server 


©PentesterAcademy.com 


Signalling Protocols 


SIP (Session Initiation Protocol) 
* Developed by the IETF 


* Replacement for the desk phones and PSTN (Public Switched Telephone Network) 


H.323 
* Created by the ITU-T 


* Focused on videoconferencing but also used for voice calls 


SCCP (Skinny) 


* Cisco proprietary protocol used for line-side control of phones 


©PentesterAcademy.com 


Session Initiation Protocol 


Text-based protocol 


Applications 
— Calls (audio, video) using other media steams like RTP 


— Text messages using SIP “Message” method 

Works with other protocols 

Session Description Protocol (SDP) to define with media negotiation and setup 
Can operate over TCP, UDP or SCTP (Stream Control Transmission Protocol) 


Security is provided by TLS (Transport Layer Security ) i.e. SIP over TLS. 
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SUBSCRIBE, PUBLISH and NOTIFY 


πα — 
NOTIFY Em 


User/Device Subscription Broker Service 
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Session Initiation Protocol: Sample Call Flow 


INVITE 


100 Trying 


180 Ringing 


200 OK 


ACK 


» 
vei 
> 


BYE 


200 OK 
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User Agent Server (UAS) Solutions 


$ 5\Pfoundry 


en source communit 


3CX. www.sipfoundry.org 
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Asterisk 


www.asterisk.or 


FREEDOM TO COMMUNICATE 


freeswitch.org 


Softphone clients 


* Program for making telephone calls over IP to 


* Some options 


| Lite www.microsip.org 
— Zoiper 
— XLite www.counterpath.com/x-lite-download www.zoiper.com 
— LinPhone 


—  MICroSIP 


Factors in choosing a good softphone client ο 


e 
Check codec support Nerea t 30x 
* Check encryption capabilities (Especially in free versions) 


WWW.3cx.com 


* Other functionalities (i.e. Text message option, hold, waiting etc.) 
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Asterisk 
= + 


KY DE FreePBX. 
CS let freedom ring” 


fo. ANON 


Bob 
User ID: 1111 
Password: abc 123321 


Scenario 


Asterisk Now Server 


Alice 
User ID: 2222 
Password: 123321 


192.168.20.132 


192.168.20.130 
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192.168.20.1 


Possible Configurations 


SIP RTP 


e SIP over TLS + RTP 


* SIP + SRIP 


e SIP over TLS + SRTP 
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Possible Configurations 


e SIP over TES + RTP 
e SIP +SRTP 


e SIP over TLS + SRTP 


©PentesterAcademy.com 


SIP/SDP Packets 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
iNsOrLnRBASesETFSE|jE RE 
CI l o €—— ————————— : Expression... -- 


Time Source Destination Protocol Length Ta Info 
34 17.478218 192.168.20.132 192.168.20.130 SIP/SDP 1374 Request: INVITE sip:22220192.168.20.130 | 
37 17.598013 192.168.20.130 192.168.20.1 SIP/SDP 1089 Request: INVITE sip:22220192.168.20.1:52987;ob | 
71 22.145095 192.168.20.1 192.168.20.130 SIP/SDP 1014 Status: 200 OK 
74 22.150650 192.168.20.130 192.168.20.132 SIP/SDP 1046 Status: 200 OK | 
78 22.158359 192.168.20.132 _192.168.20.130 SIP/SDP 919 Request: UPDATE sip:192.168.20.130:5060 | 


Frame 71: 1014 bytes on wire (8112 bits), 1014 bytes. captured (8112 bits) 
Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware f8:0d:44 (00:0c:29:f8:0d:44) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 52987, Dst Port: 5060 
Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): @ 
Owner/Creator, Session Id (0): - 3731351734 3731351735 IN IP4 192.168.5.103 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): © @ 
Session Attribute (a): X-nat:e 
Media Description, name and address (m): audio 4000 RTP/AVP e 101 
Connection Information (c): IN IP4 192.168.5.103 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): 
Media Attribute (a): sendrecv 
Media Attribute (a): rtpmap:e 
Media Attribute (a): rtpmap:101 telephone-event/8000 


RTCP Packets 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools ^ Help 


"a $4 IE NER RBBC ewes 31— EHENEXES- 


Source Destination Protocol Length Ta Info 
32.479679 192.168 192.168.20.130  RTCP 122 Sender Source description 
3108 37.158822 192.168.20.130 192.168.20.1 RTCP Sender Report Source description 
3109 37.158934 192.168.20.130 192.168.20.132 RTCP Sender Report Source description 
3136 37.287057 192.168.20.132 192.168.20.130  RTCP Sender Report Source description 
3207 37.640101 192.168.20.1 192.168.20.130 RTCP Sender Report Source description 


> Frame 3108: 106 bytes on wire (848 bits), 106 bytes captided (848 bits) 
> Ethernet II, Src: Vmware f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
> User Datagram Protocol, Src Port: 15675, Dst Port: 4001 
> Real-time Transport Control Protocol (Sender Report) 
4 Real-time Transport Control Protocol (Source description) | 
> [Stream setup by SDP (frame 37)] 
10.. .... - Version: RFC 1889 Version (2) 
Padding: False 
Source count: 1 
Packet type: Source description (202) 
Length: 2 (12 bytes) 
Chunk 1, SSRC/CSRC 0x3C988166 
Identifier: 0x3c988166 (1016627558) 
4 SDES items 
Type: CNAME (user and domain) (1) 
Length: O 
Type: END (0) 
[RTCP frame length check: OK - 64 bytes] 
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File 


L] 


No. 


Edit 
4 ELO bk 


View Go 


Capture 


Analyze 


Statistics 


Telephony 
Β e Gqeet$s*[ 


RTP Packets 


Wireless 


Tools 


Q Q Qt* 


Help 


Expression... torrent ck 


3103 37.140222 
3104 37.141062 
3105 37.143728 


3106 37.144098 


3110 37.160340 


Source 
192.168.20.1 
192.168.20.130 
192.168.20.132 


192.168.20.130 


192.168.20.1 


Destination 

192.168.20.130 
192.168.20.132 
192.168.20.130 


192.168.20.1 


192.168.20.130 


Protocol 
RTP 
RTP 
RTP 
RTP 
RTP 


Length 


214 
214 
214 
214 
214 


Ta Info 


PT-ITU-T G.711 PCMU, 
PT=ITU-T G.711 PCMU, 
PT-ITU-T G.711 PCMU, 
PT-ITU-T G.711 PCMU, 


SSRC-0x294823, Seq-5909, Time-120000 

SSRC-OxAFD8AB5, Seq-21275, Time=120000 
SSRC=0x43572C47, Seq-30108, Time-120000 
SSRC=0x3C988166, Seq-26401, Time-120000 


PT=ITU-T G.711 PCMU, SSRC=0x294823, Seq=5910, Time-120160 


Frame 3106: 214 bytes on wire (1712 bits), 214 bytes caplyred (1712 bits) 

Ethernet II, Src: Vmware f8:0d:44 (00:0c:29:f8:0d:44), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 

User Datagram Protocol, Src Port: 15674, Dst Port: 4000 


[Stream setup by SDP (frame 37)] 
10.. .... = Version: RFC 1889 Version (2) 
Padding: False 
Extension: False 
Contributing source identifiers count: @ 


Sequence number: 26401 

[Extended sequence number: 91937] 

Timestamp: 120000 

Synchronization Source identifier: @x3c988166 (1016627558) 
Payload: 5f5f606265696b6c6e70777b7d7d7e7d7a797efaf8fb7e7d... 
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Recovered VoIP Calls 


Start Time Stop Time Initial Speaker From 


Protocol Duration Packets State Comments 


[ | Time of Day 
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Time 


17.478218 
17.485438 
17.597307 
17.598013 
17.603920 
17.604301 
17.605610 
22.145095 
22.148286 
22.150650 
22.156664 
22.158359 
22.160190 
22.160191 
22.161608 
22.161703 
22.162308 
38.751436 
38.752328 


Flow Sequence 


192.168.20.132 192.168.20.1 
192.168.20.130 


58655 INVITE SDP (opus g711A g711U ol 5060 


I 
| 
| 
58655 Έως | 5060 
58655 | sso Ringing | 5060 | 
T INVITE SDP (g711U g711A GSM G726-32 td pn 


5060 ποτ | Trying -- 


80 Ringing 


5060 m 52987 
180 Ringing | | 
.* <—MNIIMMMMMII 


5060 


5060 | 200 OK SDP (g711U telephone-event) | 52987 


ο νιν" 


58655 200 OK SDP (g711U g711A telephone-eve. ] 5060 


58655 p ΑΕ øj 5060 


58655 | UPDATE SDP (g711U telephone-event) | 5060 


| 
| 
| 
| 
| 
| 
4000 jo RTP (97110) 16912 i 
58655 200 OK SDP (g711U telephone-event) | 5060 | 
| 
| 
| 
. 


| | 
4000 RIP (97180) qi 16912 


15674 | RTP (α7110) 


| 
| 
15674 Do eg | RTP (97114) | 4000 
| 
| 
4000 
| 


58655 [BYE øj 5060 


58655 je 200 0K___________5060 
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Comment 


SIP INVITE From: <sip:1111@192.168.20.130 To:... 
SIP Status 100 Trying 

SIP Status 180 Ringing 

SIP INVITE From: "Bob" <sip:1111@192.168.20.1... 
SIP Status 100 Trying 

SIP Status 180 Ringing 

SIP Status 180 Ringing 

SIP Status 200 OK 

SIP Request INVITE ACK 200 CSeq:28747 

SIP Status 200 OK 

SIP Request INVITE ACK 200 CSeq:20778 

SIP UPDATE From: <sip:1111@192.168.20.130 To.. 
RTP, 830 packets. Duration: 16.581s SSRC: 0x294... 
RTP, 830 packets. Duration: 16.581s SSRC: OxAFD.. 
SIP Status 200 OK 

RTP, 830 packets. Duration: 16.5885 SSRC: 0x435... 
RTP, 830 packets. Duration: 16.589s SSRC: 0x3C9... 
SIP Request BYE CSeq:20780 


SIP Status 200 OK 


Reconstructed Call 


37.5 


25 27.5 30 32.5 


22.5 
Sample Rate (Hz) Payloads 


Setup Frafe Packets Time Span (s) 
830 22.2 - 38.8 (16.6) 8000 
22.2 - 38.7 (16.6) 8000 


Destination Port  SSRC 
16912 0x43572c47 78 
4000 OxOafd8ab5 78 830 


g711U 


Source Address Source Port Destination Address 
g/11U 


192.168.20.132 4000 192.168.20.130 
192.168.20.130 16912 192.168.20.132 


a Output Device: Speakers (Realtek High Definition Audio) ~ 
Jitter Buffer: 50 Playback Timing: Jitter Buffer [ | Time of Day 
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Possible Configurations 


SIP RTP 


e SIP over TLS + RTP 


ο SIP + SRTP 


e SIP over TLS + SRTP 
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SRTP key in SDP packet 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


AOLA es EF eD Raag 


Expression... 


Source Destination Protocol Length Ta Info 
128 27.128753 192.168.20.132 192.168.20.130  SIP/SDP 278 Request: INVITE sip:2222@192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIE SUE 1174 Request: INVITE sip: 22220192.168.20.1:60168; IDE l 
aM EE 23: 29.2932 E |» | 192.168.260 2.130 |. SIP/SD RE 101 5 tat tus: 200 JOK | 


ET ideia: 


[ ο 178 29. 314263 192.168.20.130. 192. 168.20.132 SEA Status: 200 OK | 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): @ 
Owner/Creator, Session Id (0): - 3730471310 3730471311 IN IP4 192.168.5.114 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): e e 
Session Attribute (a): X-nat:e 
Media Description, name and address (m): audio 4000 RTP/SAVP @ 101 
Connection Information (c): IN IP4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): rtcp:4001 IN IP4 192.168.5.114 
Media Attribute (a): sendrecv 
Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
Media Attribute (a): fmtp:101 0-16 
Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 
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SRTP Traffic 


^ Normal Call two parties.pcap - 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


AmAGIRLEORBReH era aa E 
i Expression... + torrent cleanup own ssid cleanup probe 
No. Time Source Destination Protocol Length Tag Info PTA 
| 195 29.354843 192.168.20.132 192.168.20.130 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x15BD2F81, Seq-15576, Time=320 
| 196 29.355005 192.168.20.130 192.168.20.1 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x4EFA778B, Seq=4650, Time=320 
| 197 29.372665 192.168.20.1 192.168.290.130 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x399071D5, Seq=25653, Time=640 
| 198 29.372952 192.168.290.130 192.168.290.132 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16570, Time=640 
| 199 29.375160 192.168.20.132 192.168.20.130 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x15BD2F81, Seq=15577, Time=480 
i 200 29.375356 192.168.20.130 192.168.20.1 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x4EFA778B, Seq-4651, Time-480 
| 204 29.393539 192.168.20.1 192.168.208.130 SRTP 224 PT-ITU-T G.711 PCMU, SSRC=0x399071D5, Seq-25654, Time=800 
| 205 29.393821 192.168.290.130 192.168.290.132 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq-16571, Time-800 
| 206 29.395768 192.168.208.132 192.168.208.130 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x15BD2F81, Seq=15578, Time=640 v 
Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 17786 
Real-Time Transport Protocol 
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Encrypted Call 


Wireshark - RTP Player 


Jitter Drops 
A Wrong Timestamps 


Inserted Silence 


31.5 33 34.5 36 37.5 39 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


192.168.20.132 4000 192.168.20.130 17786 Ox15bd2f81 182 516 29.3 - 39.7 (10.4) 8000 g/11U 
192.168.20.130 17786 192.168.20.132 4000 0x60542655 182 520 29.3 - 39.7 (10.4) 8000 g/11U 


> H Output Device: Speakers (Realtek High Definition Audio) ~ 


Jitter Buffer: 50 | = Playback Timing: Jitter Buffer Time of Day 
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Possible Configurations 


e SIP RTP 


* SIP over TLS + RTP 


* SIP + SRIP 


e SIP over TLS + SRTP 
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No SIP Traffic 


h 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


«ΘΠ ΒΒ 449556 85] 


Time Source inati Protocol Length Ta Info 
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TLS Traffic (SIP over TLS) 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


E +. aqa E 


Expression... + torrent cleanup own ssid cleanup probe 


Destination Protocol Length Ta Info ^ 
.011835 | 192.168.260. 192.168.20.130  TLSv1 | 253 Client Hello 
.016672 E .20.1 192.168.20.132 TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell... 
.020041 a .20. 192.168.20.130  TLSV1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
.020930 ξ .20. 192.168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
.021214 δ «26. 192.168.20.130  TLSvi 784 Application Data, Application Data 
.021727 5 .20. 192.168.20.132  TLSv1 688 Application Data, Application Data 
.022063 i .20. 192.168.20.130  TLSvi 1088 Application Data, Application Data 
.025192 ξ .20. 192.168.20.132  TLSv1 656 Application Data, Application Data 
.076523 ‘ .20. 192.168.20.132  TLSv1 1370 Application Data, Application Data, Application Data, Application Data 
.076842 ξ :20: 192.168.20.130  TLSvi 928 Application Data, Application Data 
.117462 : :20. 192.168.20.130  TLSv1 512 Application Data, Application Data 


e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


Frame 4: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49484, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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No RTP Traffic 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


4 m 506 LkmÀ-9Rqe-9*59-.-2aaasSX 


L] === N p Expression... 


No. Destination Protocol Length Ta Info 
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Why No RTP Traffic? 


* Wireshark uses SDP packet to figure out the port RTP/SRTP stream will use. 


* SIP and SDP are encrypted, so wireshark can't figure out. 


14 23.132688 192.168.20.130 192.168.20.1 RTCP 86 Receiver Report Source description 

15 23.630139 192.168.20.132 192.168.20.130 SIP/SDP 1079 Request: INVITE sip:1111@192.168.20.130 | 
16 23.631114 192.168.20.130 192.168.20.132 SIP 605 Status: 401 Unauthorized | 

17 23.633029 192.168.20.132 192.168.20.130 SIP 420 Request: ACK sip:1111@192.168.20.130 | 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 63214, Dst Port: 5060 
4 Session Initiation Protocol (INVITE) 

Request-Line: INVITE sip:11110192.168.20.130 SIP/2.0 

Message Header 
4 Message Body 

4 Session Description Protocol 

Session Description Protocol Version (v): @ 
> Owner/Creator, Session Id (0): - 3730467468 3730467468 IN IP4 192.168.20.132 


Session Name (s): pjmedia 
> Bandwidth Information (b): AS:84 
Time Description, active time (t): e e 
Session Attribute (a): X-nat:0 
4 Media Description, name and address (m): audio 4004 RTP/AVP 123 8 0 101 
: audio 


: DynamicRTP-Type-123 
Media Format: ITU-T G.711 PCMA 
Media Format: ITU-T G.711 PCMU 
Media Format: DynamicRTP-Type-101 
Connection Information (c): IN IP4 192.168.20.132 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): rtcp:4005 IN IP4 192.168.20.132 


Undecoded RTP Traffic 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 
2404OLMROC Er sEl= RE 


E Apply a display filter ... <Ctrl-/> 


Time Source Destination ol Length Ta Info 
661 23.884012 192.168.20. 92.168.20. 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 192.168.20.13€ | 214 4000 > 17430 Len-172 
663 23.903302 192.168.20.13€ 192.168.20.1 | 214 16374 > 4000 Len=172 
664 23.904066 192.168.20. 192.168.20. 214 4000 > 16374 Len=172 
665 23.904167 192.168.208. 192.168.208. 214 17430 > 4000 Len=172 
666 23.923545 192.168.208. 192.168.208. 214 4000 > 17430 Len=172 
667 23.923824 192.168.208. 192.168.208. 214 16374 > 4000 Len=172 
668 23.924438 192.168.208. 192.168.208. 214 4000 > 16374 Len=172 
669 23.924589 192.168.208. 192.168.208. 214 17430 > 4000 Len=172 
670 23.943786 192.168.20. 192.168.20. 214 4000 > 17430 Len=172 
671 23.944063 192.168.20. 192.168.20.1 214 16374 > 4000 Len=172 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 


Data (172 bytes) 
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Decode As 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
24QH2O LM REC ease 2 EQ E 


pi Apply a display filter ... <Ctrl-/> 


No. Time Source Destination Protocol Length Ta Info 
661 23.884012 192.168.20.130 .168.20.132 UDP 214 17430 > 4000 Len=172 
662 23.903032 192.168.20.132 .168.20 120 unn 014. 4002 17422 12n-172 
663 23.903302 192.168.20. «168.26  Mark/Unmark Packet Ctrl+M n=172 
664 23.904066 192.168.20. .168.20  Ignore/Unignore Packet Ctrl+D n=172 
665 23.904167 192.168.20. «168.20  Set/Unset Time Reference Ctrl+T n=172 
666 23.923545 192.168.20. .168.20 Time Shift... CtrleshifteT  n=172 
667 23.923824 192.168.20. 168.2 ρου ο. n=172 
668 23.924438 192.168.20. .168.20 n=172 
669 23.924589 192.168.20. .168. Edit Resolved Name n=172 
670 23.943786 192.168.20. .168. n=172 
671 23.944063 192.168.20. «168.28 Apply as Filter n=172 


Prepare a Filter 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: V 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.16 Colorize Conversation 
User Datagram Protocol, Src Port: 4000, Dst Port: 17430 SCTP 
Data (172 bytes) Follow 


Conversation Filter 


Copy 


0000 00 Oc 29 ab bi 84 00 Oc 29 6f 87 d6 08 00 45 00 
0010 600 c8 5b de 00 00 80 11 00 00 cO a8 14 84 cO a8  ..[.... Show Packet in New Window 
L 


ao? A = À À AA n x (ο AA AA ib) 
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Decode As RTP 


Wireshark - Decode As... 
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RTP Traffic 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
"a FN JE ER REC eves 2 [| 


vd Apply a display filter ... <Ctrl-/> v | Expression... + torrent clea 


Time X inati Protocol Length Ta Info 
653 23.843404 " .20. s .20. 214 PT=ITU-T 
654 23.862647 5 20: å .20. 214 PT=ITU-T 
655 23.863368 Ρ «20. é .20. 214 PT=ITU-T 
656 23.863618 i 220: É ¿201 214 PT=ITU-T 
657 23.863759 è .20. : 20; 214 PT=ITU-T 
658 23.882829 > 220: 3 ZO 214 PT=ITU-T 
659 23.883135 . .20. ; .20. 214 PT=ITU-T SSRC=0x5B7C483D, Seq-10393, Time-21760 
660 23.883902 y 520: E .20. 214 PT=ITU-T SSRC=0x294823, Seq=14718, Time=21760 
661 23.884012 " .20. A .20. 214 PT=ITU=T 6. SSRC=0x47A214A7, Seq-26412, Time=21760 

23.903032 192.168.20.132 192.168. SSRC=0x32D417E6, Seq=29495, Time=21920 

23.903302 192.168.20.130 192.168.20. ν SSRC=0x5B7C483D, Seq-10394, Time-21920 


SSRC-0x47A214A7, Seq-26410, Time=21440 
SSRC-0x32D417E6, Seq-29493, Time=21600 
SSRC=0x5B7C483D, Seq-10392, Time-21600 
SSRC=0x294823, Seq-14717, Time-21600 

SSRC-0x47A214A7, Seq-26411, Time-21600 
SSRC=0x32D417E6, Seq=29494, Time=21760 


00000000 


Frame 662: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware_ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 17430 

Real-Time Transport Protocol 
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Checking RTP Streams 


File Edit View Go Capture Analyze Statistics Wireless Tools Help 
4026 i : R E Q © © EA V VoIP Calls 


GSM 
Time Length Ta Info 


ΙΑΧ2 Stream Analysis 

653 23.843404 .168.20. 214  PT-ITU-T 
654 23.862647 DH Messages 214  PT=ITU-T 
655 23.863368 .168.20. LTE PT=ITU-T 
656 23.863618 .168.20. MTP3 PT=ITU-T 
657 23.863759 .168.20. Osmux PT=ITU-T 
658 23.882829 
659 23.883135 E 

660 23.883902 TED À 
661 23.884012 .168.20. | PT=ITU-T 
662 23.903032 192.168. NA ο PTZITU-T 


663 23.903302 192.168.20.130 UCP Messages PT-ITU-T 


H.225 
Frame 662: 214 bytes on wire (1712 bits), 214 SIP Flows 


Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.1 p 

User Datagram Protocol, Src Port: 4000, Dst Po WAP-WSP Packet Counter 

Real-Time Transport Protocol 


.711 PCMU, SSRC=0x47A214A7, Seq-26410, Time-21440 
«711 PCMU, SSRC=0x32D417E6, Seq=29493, Time=21600 
.711 PCMU, SSRC=0x5B7C483D, Seq-10392, Time-21600 
.711 PCMU, SSRC=0x294823, Seq=14717, Time=21600 

.711 PCMU, SSRC=0x47A214A7, Seq-26411, Time-21600 
.711 PCMU, SSRC=0x32D417E6, Seq-29494, Time-21760 
.711 PCMU, SSRC=0x5B7C483D, Seq-10393, Time-21760 
.711 PCMU, SSRC=0x294823, Seq-14718, Time=21760 

.711 PCMU, SSRC=0x47A214A7, Seq-26412, Time-21760 
«711 PCMU, SSRC=0x32D417E6, Seq-29495, Time=21920 
.711 PCMU, SSRC=0x5B7C483D, Seq-10394, Time-21920 


00000000000 
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Analysing RTP Streams 


192.168.20.132:4000 — 
192.168.20.130:17430 


Forward 


SSRC 0x32d417e6 

Max Delta 23.37 ms @ 989 
Max Jitter 1.49 ms 

Mean Jitter 0.87 ms 
MaxSkew 40.44 ms 

RTP Packets 529 

Expected 529 

Lost 0 (0.00 96) 

Seq Errs 0 

Start at 21.201381 s @ 108 
Duration 10.525 

Clock Drift -1030 ms 

Freq Drift 7217 Hz (-9.79 96) 
Reverse 
SSRC 0x47a214a7 

Max Delta 24.31 ms @ 180 
Max Jitter 1.32 ms 

Mean Jitter 0.77 ms 
MaxSkew 30.31 ms 

RTP Packets 524 

Expected 524 

Lost 0 (0.00 96) 

Seq Errs 0 

Start at 21.269697 s @ 125 
Duration 10.44 s 

Clock Drift -1053 ms 

Freq Drift 7193 Hz (-10.09 96) 


Forward to reverse 
start diff 0.068316 s @ 17 
2 streams found. 


Forward 


| Reverse | Graph 


Acket Sequence Delta (ms) Jitter (ms) 


2251 
2243 
2239 
2235 
2231 
2227 
2223 
2220 
2215 
2211 
2207 
2203 
2199 
2195 
2192 
2189 
2185 
2181 
2177 
2173 
2169 
2165 
2161 
2157 
2153 
2148 
2144 
2138 


29887 
29886 
29885 
29884 
29883 
29882 
29881 
29880 
29879 
29878 
29877 
29876 
29875 
29874 
29873 
29872 
29871 
29870 
29869 
29868 
29867 
29866 
29865 
29864 
29863 
29862 
29861 
29860 


19.69 
20.15 
19.34 
20.26 
20.45 
21.64 
20.32 
20.62 
19.74 
20.82 
20.61 
19.69 
21.34 
19.44 
10.54 
19.78 
20.10 
21.17 
19.93 
19.89 
19.92 
21.24 
19.81 
20.05 
19.65 
20.66 
19.06 
18.90 


0.80 
0.84 
0.88 
0.90 
0.94 
0.97 
0.93 
0.97 
0.99 
1.04 
1.06 
1.09 
1.14 
1.12 
1.16 
0.61 
0.63 
0.67 
0.64 
0.67 
0.71 
0.75 
0.72 
0.76 
0.81 
0.84 
0.85 
0.84 


Skew Bandwidth Marker 
35.78 81.60 
35.47 81.60 
35.63 81.60 
34.96 81.60 
35.22 81.60 
35.67 81.60 
37.30 81.60 
37.62 81.60 
38.25 81.60 
37.99 81.60 
38.81 81.60 
39.42 81.60 
39.11 81.60 
40.44 81.60 
39.89 81.60 
30.43 80.00 
30.21 80.00 
30.31 80.00 
31.48 80.00 
31.41 80.00 
31.30 80.00 
31.22 80.00 
32.46 80.00 
32.28 80.00 
32:33 80.00 
31.98 80.00 
32.64 80.00 
31.70 80.00 


Status 


SN 


See Su Re E E EE 11 1101 17 10» 11 


Save 
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Playing RTP Streams 


Wireshark - RTP Player 


| 
22.5 25.5 27 28.5 30 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


192.168.20.1 4000 192.168.20.130 16374 0x00294823 4294967295 528 21.2 - 31.7 (10.5) 8000 g711U 
192.168.20.130 16374 192.168.20.1 4000 Ox5b7c483d 4294967295 524 21.3 - 31.7 (10.4) 8000 g/11U 


E Output Device: Speakers (Realtek High Definition Audio) ~ 


Jitter Buffer: 50 B J Playback Timing: Jitter Buffer | | Time of Day 
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Possible Configurations 


* SIP RTP 


e SIP over TLS + RTP 


+ SIP Ρο 


ο SIP over TLS + SRTP 
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TLS key exchange methods 


TLS uses symmetric ciphers (i.e. AES, Blowfish) to encrypt the data 


* Two options under realistic approach 
—  DHE (Diffie Hellman Key Exchange) 
— RSA (Asymmetric encryption) 
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Diffie Hellman Exchange 


Assumption 


Common paint 


Attacker even after seeing the exchanged colours can't 
guess the secret colour. 


= Public transport = 


Secret colours 


Public transport 


* Attacker knows 


and also = 


But can't know which colour is added. 


a 


(assume that 
mixture 
separation 
is expensive) 


Secret colours 


Common secret 
More on: en.wikipedia.org/wiki/Diffie96E296809693Hellman key exchange 
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een oe: 
τ 8:54:41: 


RSA (Asymmetric Encryption ) 


ΙΙ 
ΙΙ 


Plaintext asta MN Plaintext 
— > — p 


Sender Encrypt Decrypt Recipient 


Different keys are used to 
encrypt and decrypt message 


O Er. 


Peg Ha Recipient's 
Public Key Private Key 


©PentesterAcademy.com 


Observations? 


* Can't recover keys derived with ECDHE/DHE by listening to traffic 


* ForRSA, if we can get private key of server, we can decrypt traffic 
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TLS Traffic (SIP over TLS) 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


AmAO RERO SEDES 6 Q « ΞΕ 


Expression... + torrent cleanup owns 


Destination Protocol Length Ta Info 
«172139 Ἢ «168.20. 192.168.20.130  TLSv1 | 253 Client Hello 
477721 .168.20. )2.168.20.132  TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, 
.181390 : .20. 192.168.20.130  TLSV1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Hands 
.182741 : .20. 192.168.20.132  TLSvi 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
.183127 s .20. 192.168.20.130  TLSV1 784 Application Data, Application Data 
.183904 > .20. .168.20.132  TLSv1 688 Application Data, Application Data 
.184221 : .20. 192.168.20.130  TLSV1 1088 Application Data, Application Data 
.187834 ξ .20. .168.20.132  TLSv1 656 Application Data, Application Data 
.237912 . .20. 192.168.20.132 TLSv1 1370 Application Data, Application Data, Application Data, Application Dat 
.238220 ς 20; 192.168.20.130 TLSv1 928 Application Data, Application Data 
.277703 ; .20. 192.168.20.130  TLSV1 512 Application Data, Application Data 


Frame 15: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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Diffie Hellman Exchange 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


AmAGNRBRenE=rsEl= a ar 


Expression... + torrent cleanup own ssid cleanup prol 


Time Source Destination Protocol Length Ta Info 
2172139 192.168.20. 192.168.20. TLSv1 253 Client Hello 
:377221 192.168.20. 192.168.20. TLSv1 1246 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hell... 
9.181390 192.168.20. 192.168.20.1 TLSv1 200 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
.182741 192.168.20.13 192.168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message it 
«183127 192.168.20. 192.168.20. TLSv1 784 Application Data, Application Data 
.183904 192.168.20. 192.168.20. TLSv1 688 Application Data, Application Data 
.184221 192.168.20. 192.168.20. TLSv1 1088 Application Data, Application Data 
.187834 192.168.20. 192.168.20. TLSv1 656 Application Data, Application Data 
«237912 192.168.20. 192.168.20. TLSv1 1370 Application Data, Application Data, Application Data, Application Data 


Frame 19: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
Transmission Control Protocol, Src Port: 49532, Dst Port: 5061, Seq: 200, Ack: 1193, Len: 146 
4 Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 70 
Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 66 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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File 
A m 6 I 


Edit 


View 


N 


Go 


Undecoded SRTP Traffic 


Capture 


BBQ Φ 


A Apply a display filter ... <Ctrl-/> 


Analyze 


Statistics 


Telephony 


Wireless 


Tools 


6 8 6 Ἡ 


Help 


No. 


714 
715 
716 
717 
718 
719 
720 
721 
722 
723 


Time 

103.046522 
103.049044 
103.049234 
103.066609 
103.067006 
103.079392 
103.079609 
103.086695 
103.087313 
103.089180 


Source 


182. 
192. 
192. 
192. 
192. 
192. 
192. 
192. 
192. 
192. 


168.20.130 
168.20.1 

168.20.130 
168.20.132 
168.20.130 
168.20.1 

168.20.130 
168.20.132 
168.20.130 
168.20.1 


Destination 
.168.20.1 
.168.20.130 
.168.20.132 
.168.20.130 
.168.20.1 
.168.20.130 
.168.20.132 
.168.20.130 
.168.20.1 
.168.20.130 


Protocol 


Length 
224 
224 
224 
224 
224 
224 
224 
224 
224 
224 


Ta Info 
13288 > 4000 
4000 > 13288 
13408 > 4000 
4000 > 13408 
13288 > 4000 
4000 > 13288 
13408 > 4000 
4000 > 13408 
13288 > 4000 
4000 > 13288 


Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 
Len=182 


Frame 719: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 13288 
Data (182 bytes) 
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Decode As 


File Edit View Go Capture Analyze 
4 | À © hk 


E Apply a display filter ... <Ctrl-/> 


Time inati Protocol Length Ta Info 
714 103.046522 .168.20.130 UDP 224 en=182 
715 103.049044 .168.20.1 .168. Mark/Unmark Packet 
716 103.049234 .168.20. . . Ignore/Unignore Packet Ctrl+D 
717 103.066609 .168.20. . η Set/Unset Time Reference Ctrl «T 
718 103.067006 .168.20. E -2 Time Shift... Ctrl+Shift+T 
719 103.079392 .168.20. 
720 103.079609 .168.20. 
721 103.086695 .168.20. à : Edit Rescluad Norme 
722 103.087313 .168.20. 
723 103.089180 .168.20.1 E å Apply as Filter 


Packet Comment... Ctrl - Alt-C 


Frame 714: 224 bytes on wire (1792 bits), 224 bytes captured Prepare a Filter 
Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff:65:9b), Dst: Conversation Filter 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.1 Colorize Conversation 
User Datagram Protocol, Src Port: 13288, Dst Port: 4000 SCTP 


Data (182 bytes) Follow 


Copy 


Show Packet in New Window 


Decode As RTP 


Wireshark - Decode As... 
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Checking RTP Streams 


File Edit View Go Capture Analyze Statistics Wireless Tools Help 
A m 6 RE ο Q «Ὁ 9$ V VolP Calls 


k 


GSM k 
No. Time Source Length Ta Info 


ΙΑΧ2 Stream Analysis : 

706 103.005510 192.168.20.130 224  PT=ITU-T G.711 PCMU, SSRC=0x3EFBC86D, Seq-27905, Time=7040 
707 103.018094 192.168.20.1 O 224  PT=ITU-T 6.711 PCMU, SSRC=0x4DCD5225, Seq-16871, Time-7040 
708 103.018467 192.168.20.130 LTE 224  PT=ITU-T 6.711 PCMU, SSRC=0x6A41E0F3, Seq-385, Time-7040 
709 103.025686 192.168.20.132 MTP3 224  PT=ITU-T G.711 PCMU, SSRC-0x294823, Seq-15098, Time-7200 
710 103.026046 192.168.20.130 Osmux 224  PT=ITU-T G.711 PCMU, SSRC=0x3EFBC86D, Seq-27906, Time-7200 
711 103.038299 192.168.20.1 WAS .711 PCMU, SSRC=@x4DCD5225, Seq-16872, Time-7200 
712 103.038516 192.168.20.130 = .711 PCMU, SSRC=@x6A41E@F3, Seq-386, Time-7200 
713 103.045972 192.168.20.132 e" .711 PCMU, SSRC=0x294823, Seq-15099, Time-7360 
714 103.046522 192.168.20.13 224  PT=ITU-T PCMU, SSRC=0x3EFBC86D, Seq-27907, Time-7360 


715 103.049044 192.168.20.1 ia 224  PT=ITU-T PCMU, SSRC=0x4DCD5225, Seq=16873, Time-7360 


- - UCP Messages 
Frame 714: 224 bytes on wire (1792 bits), 224 ο... 


Ethernet II, Src: Vmware ff:65:9b (00:0c:29:ff 3 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.1 SIP Flows 

User Datagram Protocol, Src Port: 13288, Dst P SIP Statistics 

Real-Time Transport Protocol WAP-WSP Packet Counter 
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Analysing RTP Streams 


192.168.20.130:13288 — 


192 168 20 1:4000 Forward Reverse Graph 


| Packet Sequence Delta (ms) Jitter(ms) Skew Bandwidth Marker Status 
525 27862 0.00 0.00 0.00 1.68 7 
SSRC Ox3efbc86d 527 27863 3.53 103 1647 3.36 
Max Delta 40.57 ms @ 540 
Max Jitter 1.52 ms 27866 20.60 0.98 15.30 6.72 
na o 27867 19.99 0.91 15.31 8.40 
ax ew É ms 

αρ... 27868 20.83 091 1449 10.08 
Expeded 66 27869 19.74 0.87 1474 11.76 
Lost 1 (0.16 96) 27870 20.25 0.83 14.49 13.44 
SeqErrs 1 27871 20.00 0.78 1449 15.12 
Start at 102.171933 s @ 525 27872 10.97 1.29 23.51 16.80 
Duration 12255 27873 19.61 124 23.91 1848 
τ 27874 20.49 119 2342 20.16 
Freq Drift 3451 Hz (-56.86 96) 

27875 19.54 1.14 23.88 21.84 
Reverse 27876 20.37 1.10 23.50 23.52 
27877 1971 105 23.79 25.20 
SSRC 0x4dcd5225 27878 20.37 1.00 2342 26.88 
Max Delta 30.43 ms @ 1370 27879 19.86 0.95 23.56 28.56 
totes Sees 27880 20.49 0.92 23.06 30.24 
Mean Jitter 0.90 ms 
EE 27881 20.59 0.90 2248 31.92 
RTP Packets 617 27882 2041 0.87 22.07 33.60 
Expected 617 27883 20.74 0.86 21.32 35.28 
Lost 0 (0.00 96) 27884 19.93 0.81 21.39 36.96 
SeqErrs 0 27885 20.33 0.78 21.06 38.64 
ων EL LE 27886 20.18 0.74 20.88 40.32 


Duration 12.29 s 
Clock Drift -6961 ms 27887 21.32 0.78 19.56 42.00 


Freq Drift 3468 Hz (-56.64 96) 27888 20.63 0.77 18.93 43.68 
27889 19.52 0.75 1942 45.36 
Forward to reverse 27890 20.61 0.74 18.81 47.04 
start diff -0.014346 s @ -3 
2 streams found. 


Forward 


S De SS SAS eA, m; Ele Ad eje Era da Do e DS 
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Playing RTP Steams 


Wireshark - RTP Player 


Jitter Drops 
Wrong Timestamps 


Inserted Silence 


| | | | | 
106 108 110 112 114 


Destination Port SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 


13408 0x00294823 4294967295 616 102 - 114 (12.3) 8000 g/11U 
4000 0x6a41e0f3 4294967295 616 102 - 114 (12.3) 8000 g711U 


Source Address Source Port Destination Address 


192.168.20.132 4000 192.168.20.130 
192.168.20.130 13408 192.168.20.132 


> El Output Device: Speakers (Realtek High Definition Audio) ” 


Jitter Buffer Time of Day 


Jitter Buffer: | 50 EA Playback Timing: 
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TLS Traffic (SIP over TLS) 


P | Call to VoiceMail.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


AmAGLNTRB es Er sr 


Expression... + torrent cleanup own ssid clean 


Time Destination Protocol Length Te Info 

3.025978 : .20. 192.168.20. TLSv1 253 Client Hello 

3.031243 = .20. 192.168.20. TLSv1 1030 Server Hello, Certificate, Certificate Request, Server Hello Done 
3.032252 : .20. 192.168.20. TLSv1 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
3.033610 : .20. 192.168.20. TLSv1 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
3.035114 : .20. 192.168.20. TLSv1 Application Data, Application Data 

3.036454 > :20. 192.168.20. TLSv1 Application Data, Application Data 

3.036892 à .20. 192.168.20. TLSv1 Application Data, Application Data 

3.039477 : .20. 192.168.20. TLSv1 Application Data, Application Data 

3.089799 : 529: 192.168.20. TLSv1 Application Data, Application Data, Application Data, Application Data 
3.090170 > .20. 192.168.20. TLSv1 Application Data, Application Data 

3.130640 : 220. 192.168.20. TLSv1 Application Data, Application Data 

10.968782 - .20. 192.168.20. TLSv1 Application Data, Application Data 

10.970517 : .20. 192.168.20. TLSv1 Application Data, Application Data 

10.970920 > .20. 192.168.20. TLSv1 Application Data, Application Data 

10.971375 : .20. 192.168.20. TLSv1 Application Data, Application Data 

10.973943 : .20. 192.168.20. TLSv1 Application Data, Application Data 

11.075535 Ρ «20. 192.168.20. TLSv1 Application Data, Application Data 


Frame 9: 253 bytes on wire (2024 bits), 253 bytes captured (2024 bits) 

Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 

Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seq: 1, Ack: 1, Len: 199 
Secure Sockets Layer 
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RSA based key exchange 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


4H4@OLORBILC 95:5 8 Jaaa 


Expression... + torrent cleanup own ssid cleanup 


Time Source Destination Protocol Length Ta Info 
.025978 .168.20.132 192.168.20.130 TLSv1 253 Client Hello 
.031243 .168.20.130 192.168.20.132  TLSv1 1030 Server Hello, Certificate, Certificate Request, Server Hello Done 
.032252 .168.20.132 192.168.20.130  TLSv1 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handsh.. 
j.033610 | 192.168.20.130  192.168.20.132  TLSv1 304 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message 
.035114 .168.20.132 192.168.20.130  TLSvi Application Data, Application Data 
.036454 .168.20.130 192.168.20.132  TLSvi Application Data, Application Data 
3.036892 .168.20.132 192.168.20.130  TLSv1 1088 Application Data, Application Data 


Frame 12: 264 bytes on wire (2112 bits), 264 bytes captured (2112 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
Transmission Control Protocol, Src Port: 49481, Dst Port: 5061, Seg: 200, Ack: 977, Len: 210 
Secure Sockets Layer 
TLSv1 Record Layer: Handshake Protocol: Certificate 
4 TLSv1 Record Layer: Handshake Protocol: Client Key Exchange 
Content Type: Handshake (22) 
Version: TLS 1.0 (0x0301) 
Length: 134 
4 Handshake Protocol: Client Key Exchange 
Handshake Type: Client Key Exchange (16) 
Length: 130 


TLSv1 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec 
TLSv1 Record Layer: Handshake Protocol: Encrypted Handshake Message 
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Decrypting TLS traffic 


RSA is used to exchange keys 


We can decrypt with private key installed on Asterisk One 


Keys and certificate location on Asterisk One: /etc/asterisk/keys 


We have to get the default.key from the server 


| @localho 

root@localhost keys]# 

otal 32 

rr d asterisk asterisk 215 Mar 19 03:59 ca.cfg 
-rw-rw-r--. 1 asterisk asterisk 1789 Mar 19 03:59 ca.crt 


-rw-rw-r--. 1 asterisk asterisk 3311 Mar 19 03:59 ca.ke 


drwxrwxr-x. 2 asterisk asterisk 4096 Mar 19 03:59 integ 
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Edit » Preferences » Protocol » SSL 


SMTP Secure Sockets Layer 
SMUX 


SNA 
SNMP SL debug file 


RSA keys list 


Snort 
Socks 


SoulSeek 
SoupBinTCP Reassemble SSL Application Data spanning multiple ο ος 


Y | Reassemble SSL records spanning multiple TCP segments 


SPDY Message Authentication Code (MAC), ignore "mac failed" 
Spice 
SPRT 
SRVLOC (Pre)-Master-Secret log filename 
SSCOP 
SSDP 
SSH 


Pre-Shared-Key 


STANAG 506 
STANAG 506 
StarTeam 
STP 

SIT 

STUN 

SUA 

SV 

SYNC 
SYNCHROPH 


Syneray 
» | 


Cancel 
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Adding Asterisk default private key 


C: |Users|Nishant|AppData |Roaming| Wiresharklss! keys 


[m | Gm | κω 
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File 
4 = 


Edit View 


© κ 


Go 


L 


Capture 


Analyze 


Statistics 


Decrypted SIP traffic 


Telephony 


Wireless 


Tools Help 


RO es 5 φ Φ || E 


*| Expression... + torrent cleanup own ssid — cleanup probe 


No. 


Time 
3.039477 
3.089799 
3.090170 
3.130640 
10.968782 
10.970517 
10.970920 
10.971375 
10.973943 
11.075535 
11.077488 
11.117569 
11.118325 
33.695049 
33.695785 


17 
19 
20 
22 
28 
30 
31 
32 
34 
36 
39 
48 
50 
2302 
2303 


s 


Source 


192: 
192: 
192: 
192: 
192: 
192: 
192: 
192: 
192. 
192. 
192. 
192. 
192: 
192. 
192. 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


130 
130 
132 
132 
132 
130 
132 
132 
130 
130 
132 
132 
130 
130 
132 


Destination 


192: 
192. 
192 
192. 
192: 
192. 
192: 
192: 
192: 
192: 
192. 
192. 
192. 
192. 
192. 


168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 
168. 


20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 
20. 


132 
132 
130 
130 
130 
132 
130 
130 
132 
132 
130 
130 
132 
132 
130 


Protocol 
SIP 

SIP 

SIP 

SIP 
SIP/SDP 
SIP 

SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP 
SIP/SDP 
SIP/SDP 
SIP 

SIP 


Length 
656 
1370 
928 
512 
1584 
688 
528 
1888 
496 
1184 
512 
1120 
1152 
592 
496 


Ta Info 
Status: 


Request: 


Status: 
Status: 


Request: 


Status: 


Request: 
Request: 


Status: 
Status: 


Request: 
Request: 


Status: 


Request: 


Status: 


^ 


200 OK (1 binding) | 

OPTIONS sip:11118192.168.20.132:49481;transport-TLS;ob | Requ... 
200 OK | 

200 OK | 

INVITE sip:22220192.168.20.130;transport-tls | 
401 Unauthorized | 

ACK sip:2222@192.168.20.13@;transport=tls | 

INVITE sip:22220192.168.20.130;transport-tls | 

100 Trying | 

200 OK | 

ACK sip:192.168.20.130:5061;transport-TLS | 

UPDATE sip:192.168.20.130:5061;transport-TLS | 

200 OK | 

BYE sip:1111@192.168.20.132:49481;transport=TLS;ob | 
200 OK | 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware 6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 


Secure Sockets Layer 


Session Initiation Protocol (200) 
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SRTP key in SIP/SDP decrypted packet 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


ingolrlnrRBASevEtTSBE|caa E 


Expression... + torrent de 


Time Source Destination Protocol Length Ta Info 

10.968782 192.168.20.132 192.168.20.130 SIP/SDP 1584 Request: INVITE sip:22220192.168.20.130;transport-tls | 
10.971375 192.168.20.132 192.168.20.130 SIP/SDP 1888 Request: INVITE sip:22220192.168.20.130;transport-tls | 
11.075535 192.168.20.130 192.168.20.132 SIP/SDP 1184 Status: 200 OK | 

11.117569 | 192.168.20.132 192.168.20.130 SIP/SDP 1120 Request: UPDATE sip:192.168.20.130:5061;transport-TLS | 
11.118325 192.168.20.130 - 192.168.20.132  SIP/SDP 1152 Status: 200 OK |... | 


Frame 50: 1152 bytes on wire (9216 bits), 1152 bytes captured (9216 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware 6f:87:d6 (00:0c:29:6f:87:d6) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.132 
Transmission Control Protocol, Src Port: 5061, Dst Port: 49481, Seq: 5985, Ack: 8868, Len: 1098 
Secure Sockets Layer 
Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): @ 
» Owner/Creator, Session Id (0): - 3730743973 3730743976 IN IP4 192.168.20.130 
Session Name (s): Asterisk 
Connection Information (c): IN IP4 192.168.20.130 
Time Description, active time (t): 0 @ 


. . . 
Media De D on na ada 


Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 
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Open Source Tools for Decrypting SRTP 


* SRTP Decrypt 


* Libsrtp 
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SRTP Decrypt 


Tool to decipher SRTP packets 


Takes symmetric key to decrypt the SRTP traffic 


Output decrypted packets in form of hexdump 


Wireshark can reconstruct RTP packets from the hexdump 
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SRIP Decrypt 


6 GitHub: 


= Œ 4 GitHub, Inc. [US] | https://github.com/gteissier/srtp-decrypt 


ο Features Business Explore Marketplace Pricing This repository 5 Sign in or Sign up 


O Watch À Star | 17 Y Fork | 12 


<> Code Ssues Pull requests 1 Projects 0 Insights 
Deciphers SRTP packets 


Xp 10 commits P 1 branch © 0 releases 22 1 contributor 


Branch: master v Find file Clone or download + 


gteissier Increment offset using words, not bytes Latest commit ac50693 on Jan 18, 2016 


nitial commit 5 years ago 
itial impor 5 years ago 
Jpdate README.md 5 years ago 


itial import 5 years ago 


etter default offset and handle correctly streams starting with seq 3 years ago 


ncrement offset using words, not bytes 2 years ago 


SRTP Decrypt: Pre-Installation 


* Installing libgcrypt 
pentester@PentesterAcademy:-/work/srtp-decrypt$ sudo apt-get install libgcrypt-dev 
sudo: unable to resolve host PentesterAcademy 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
Note, selecting 'libgcrypt20-dev' instead of 'libgcrypt-dev' 
The following additional packages will be installed: 
libgcrypt20 libgpg-error-dev 
Suggested packages: 


* Installing libpcap 


sudo: unable to resolve host PentesterAcademy 
Reading package lists... Done 

Building dependency tree 

Reading state information... Done 


The following additional packages will be installed: 
libpcap0.8-dev 

The following NEW packages will be installed: 
libpcap-dev libpcap0.8-dev 
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SRTP Decrypt: Installation 


* Cloning 
root@PentesterAcademy:/work# git clone https://github.com/gteissier/srtp-decrypt.git 
Cloning into 'srtp-decrypt'... 


remote: Counting objects: 35, done. 
remote: Total 35 (delta 0), reused 0 (delta 0), pack-reused 35 


Unpacking objects: 100% (35/35), done. 


* Compiling 
root@PentesterAcademy: /work/srtp-decrypt# make 
cc -g -Os -Wall -C -0 srtp.o srtp.c 


cc -g -0s -Wall -ς -ο srtp-decrypt.o srtp-decrypt.c 
cc -o srtp-decrypt srtp-decrypt.o srtp.o -lpcap -lgcrypt 
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SRTP Decrypt: Ready 


root@PentesterAcademy:/work/srtp-decrypt# ls -1 


1 
1 
1 
1 
1 
1 
1 
1 
1 


root 
root 
root 
root 
root 
root 
root 
root 
root 


root 
root 
root 
root 
root 
root 
root 
root 
root 


273 
2853144 
945 
22057 
54112 
3917 
26464 
2720 
52096 


Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 
Mar 


17 
17 
17 
17 
17 
17 
UW 
Lz 
i 


05 


536 
85: 
05: 
05: 
05: 
05: 
05: 
05: 
05: 


36 
36 
36 
40 
36 
40 
36 
40 
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Makefile 
marseillaise-srtp.pcap 
README. md 

Srtp.c 

srtp-decrypt 
srtp-decrypt.c 
srtp-decrypt.o 

srtp.h 

srtp.o 


SRTP Decrypt: Copying SRTP key 


File Edit View | Go Capture X Analyze 


Á m *G RG es E 


Time Source 
188 29.319111 192.168 
2312 39.694387 192.16 
2313 39.701755 192.16 
2317 39.709060 192.16 
2318 39.709625 192.16 


Frame 188: 1051 bytes on wire (8408 bit 
Ethernet II, Src: Vmware ff:65:9b (00:0 
Internet Protocol Version 4, Src: 192.1 
User Datagram Protocol, Src Port: 5060, 
Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Ve 
Owner/Creator, Session Id (o): 
Session Name (s): Asterisk 
Connection Information (c): IN 
Time Description, active time ( 
Media Description, name and adc 


[Media Attribute (a): crypto:1 A 


Statistics 


Telephony 


Expand Subtrees 
Expand All 
Collapse All 


Apply as Column 


Apply as Filter 
Prepare a Filter 
Conversation Filter 
Colorize with Filter 


Follow 


Show Packet Bytes... 
Export Packet Bytes... 


Wiki Protocol Page 
Filter Field Reference 


Protocol Preferences 


Decode As... 
Go to Linked Packet 


Show Linked Packet in New Window 
— ——DN—pr——————————————(Ju——HÜ" 


Media Attribute (a): rtpmap:@ PCMU/8000 


Media Attribute (a): rtpmap:101 telephone-event/8000 
Media Attribute (a): fmtp:101 0-16 


Media Attribute (a): ptime:20 


Media Attribute (a): maxptime:150 


Media Attribute sendrecv 


(a): 


Wireless 


Normal Call two parties.pcap 
Tools Help 


zos Hñaaar 


+ torrent cleanup o 


Status: 200 OK | 


Request: BYE sip:asterisk@192.168.20.130:5060 | 


Status: 200 OK | 


Request: BYE sip:11110192.168.20.132:60850;ob | 


Shift Right 
Ctrl - Right 
Ctrl+Left Length Tag Info 
)P 1051 
461 
446 
Ld 487 
+ 406 


Status: 200 OK | 


+ |29:6f:87:d6) 


All Visible Items 


Ctrl+H Description 


Field Name 


b As Filter 


..as Hex Dump 
..as Printable Text 
..as a Hex Stream 


..as Raw Binary 


..as Escaped String 
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Ctrl+Alt+Shift+A 
All Visible Selected Tree Items 
Ctrl+Alt+Shift+ D 
Ctrl+Alt+Shift+F 


Ctrl+Shift+C 


Bytes as Hex + ASCII Dump 


SRIP Decrypt: UDP Ports 


^ Normal Call two parties.pcap =) Pa 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
4m:orklmxmgmmqee-9ts | 
Expression... + torrent cleanup own ssid clean 
No. Time INS Source Destination Protocol Length Tag Info 
195 29.354843 192.168.20.132 192.168.20.130 SRTP 224 —PT=ITU-T 6.711 PCMU, SSRC=0x15BD2F81, Seq=15576, Time-320 
I 196 29.355005 192.168.20.130 192.168.20.1 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x4EFA778B, Seq-4650, Time-320 
| 197 29.372665 192.168.20.1 192.168.290.130 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x399071D5, Seq=25653, Time=640 
| 198 29.372952 192.168.290.130 192.168.290.132 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x60542655, Seq=16570, Time=640 
199 29.375160 192.168.290.132 192.168.290.130 SRTP 224 PT=ITU-T G.711 PCMU, SSRC=0x15BD2F81, Seq=15577, Time=480 
Frame 195: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 
Ethernet II, Src: Vmware 6f:87:d6 (00:0c:29:6f:87:d6), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.132, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 4000, Dst Port: 17786 
Real-Time Transport Protocol 
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SRTP Decrypt: Decrypting SRTP Traffic 


Command: ./srtp-decrypt -k uK«*RfjSi9/fUFr8zoJu6zdqPweMGtONhgXA4yqwhRj < 


./Normal Call two parties.pcap > decoded.raw 


ek 


* Normal Call two parties.pcap Input file 


* decoded.raw 


Output file 


Defined SRTP key (uK-«RfjSi9/fUFr8zoJu6zdqPw6MGtONhgX4yqwRj in this case) 


frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 
frame 


0 


1 
2 
3 
4 
5 
6 
7 
8 


decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 
decoding 


failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 
failed 


‘Permission 
‘Permission 
‘Permission 
‘Permission 
"Permission 
"Permission 
‘Permission 
‘Permission 
‘Permission 
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root@PentesterAcademy: /work/srtp-decrypt# ./srtp-decrypt -k uK«RfjSi9/fUFr8zoJu6zdqPw6M 
GtONhgX4yqwRj < ../Normal Call two parties.pcap > decoded. raw 

dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
dropped: 
: decodin 


denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 
denied' 


SRTP Decrypt: decoded.raw 


Qo :08.731764 
0000 80 00 64 2e 00 00 00 a0 58 2f 39 Oc 7e 7e 7e 7e 


12 00a0 7e 7e ff ff ff fe fe fe fe fe fe fe 


"decoded.raw" 12838 lines --0%-- 
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SRTP Decrypt: Importing Decrypted Content 


4 The Wireshark Network Analyzer 
Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
Open Ctrl+O 


Open Recent 
Merge... 


Close Ctrl 


Save Ctrl+S 
Save As... Ctrl+Shift+S  B\LocaTemp\import_20180320032643_a04600.pcapng (116 KB) 


File Set voip triaNSIP+RTP call trace merged.pcap (430 KB) 


\voip_trial\SIP over TLS+RTP call trace.pcap (516 KB) 


D polt opere Pnet \voip_trial\SIP over TLS+SRTP call trace.pcap (672 KB) 


Export Packet Dissections 

Export Packet Bytes... Ctrl Η 
Export PDUs to File... 

Export SSL Session Keys... 

Export Objects \voip_trial\SIP+SRTP_call_trace.pcap (535 KB) 


d) 
a\Local\Temp\import_20180320015530_a09592.pcapng (123 KB) 


voip_trial\SIP+SRTP_call_trace.pcapng (not found) 
Print... Ctrl+P 


Quit Ctrl+Q a capture filter ... 
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SRTP Decrypt: Importing Decrypted Content 


4 Wireshark - Import From Hex Dump 


Import From 


Offsets: (€) Hexadecimal 


(O) Decimal 


© Octal 


(O) None 


Timestamp format: (No format will be applied) 


Direction indication: 


Encapsulation 
Encapsulation Type: Ethernet 


(O) No dummy header 
C) Ethernet Ethertype (hex): 
O) IPv4 Protocol (dec): 


O) SCTP Tag: 
{0} SCTP (Data) PPI: 


Maximum frame length: | 
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SRTP Decrypt: Imported Decrypted UDP Packets 


4 import 20180320032955 a10724.pcapng 
File i Capture Analyze Statistics Telephony Wireless Tools Help 


FIEIERLRKKSE: 


Expression... 


Destination Protocol 
0.000000 11 rå DER UDP Len=172 
| 2.080001 HE EE UDP 14 Len=172 
0.000002 weds 22:2.2 UDP Len=172 
0.000003 : 5 SØER UDP Len=172 
0.000004 eds 22:22 UDP Lenz172 
0.000005 21:1: :2.2:2 UDP Lenz172 
0.000006 -1-1. 2:2:2.2 UDP Len=172 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Dst: Receive 00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 


Data (172 bytes) 
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SRTP Decrypt: Decode As 


bil Apply a display filter ... <Ctrl-/> 


import 20180320032955 a10724.pcapng 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools 


απάθΘ1 ΠΒ en EF. aaa E 


Help 


Time 
2.000000 
0.000001 
0.000002 
0.000003 
0.000004 
0.000005 
0.000006 


Frame 1: 214 bytes on wire (1712 bits), 214 byte 
Ethernet II, Src: Send 00 (20:53:45:4e:44:00), L 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 
User Datagram Protocol, Src Port: 4000, Dst Port 
Data (172 bytes) 


Destination 
SE VER UE 


Protocol 
is 


Mark/Unmark Packet 
Ignore/Unignore Packet 
Set/Unset Time Reference 
Time Shift... 


Packet Comment... 
Edit Resolved Name 


Apply as Filter 
Prepare a Filter 
Conversation Filter 
Colorize Conversation 
SCTP 


Follow 


Copy 


Protocol Preferences 


Ctrl+M 
Ctrl+D 
Ctrl+T 
Ctrl+Shift+T 
Ctrl+Alt+C 


Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 


Decode As... 


[> 


Show Packet in New Window 
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SRTP Decrypt: Decode As RTP 


A Wireshark - Decode As... 


Field Value Type Default Current 


UDP port τ 4000] v Integer, base 10 ICQ RTP 
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SRTP Decrypt: Decoded Packets 


^ import 20180320032955 a10724.pcapng 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


«πθ΄ 4 95 ξ 8[Ξ|Ξ]α απ 


W Apply a display filter ... <Ctrl-/> + torrent cleanup own ssid clean 


Destination Protocol Info 

. 0.000000 2.2.2.2 RTP 14 PT=ITU-T 6.711 SSRC=8x60542655, Seq=16567, Time=160 
0.00000 v1.1: 22-252 RTP PIZITU-T G.711 SSRC=0x60542655, Seq=16568, Time=320 
0.000002 ed; 2:2.2.2 RTP PT=ITU-T G.711 SSRC=0x60542655, Seq-16569, Time-480 
0.080003 21.1. 2.2:2:2 RTP PT=ITU-T G.711 SSRC=0x60542655, Seq-16570, Time=640 
0.000004 stads 2:2:2.2 RTP PIZIIU-T G.711 SSRC=0x60542655, Seq-16571, Time-800 
0.000005 21:1: 2:2:2:2 RTP PTSETU-T)G; 711 SSRC=0x60542655, Seq-16572, Time=960 
0.000006 bs 2:2:2.2 RTP PT=ITU-T 6.711 SSRC=0x60542655, Seq=16573, Time=1120 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: Send 00 (20:53:45:4e:44:00), Dst: Receive 00 (20:52:45:43:56:00) 
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 2.2.2.2 

User Datagram Protocol, Src Port: 4000, Dst Port: 17786 

Real-Time Transport Protocol 
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SRTP Decrypt: Checking RTP Streams 


^ import 20180320032955 a10724.pcapng 


File Edit View Go Capture Analyze Statistics Telephony | Wireless Tools Help 


LO LORS Est VoIP Calls 


Μ [nooo do iter. «επ» ANS 0 BO] a a 


GSM 
No. Time 2 Protocol Length Tag Info 

: ΙΑΧ2 Stream Analysis = - a a = - IX 

1 06.000000 1.1.1.1 RTP 214 PT-ITU-T G.711 PCMU, SSRC-0x60542655, Seq-16567, Time=160 | 

2 0.000001 .1.1.1 UD Messages RTP 214 PT-ITU-T G.711 SSRC-0x60542655, Seq-16568, Time-320 

3 0.000002 .1.1.1 LTE RTP 214 PT-ITU-T 6.711 SSRC-0x60542655, Seq-16569, Time-480 

4 0.000003 .1.1.1 MTP3 RTP 214 PT-ITU-T 6.711 SSRC-0x60542655, Seq-16570, Time-640 

5 0.000004 1.1.1 vem RTP 214 PT-ITU-T 6.711 SSRC-0x60542655, Seq-16571, Time-800 

6 0.000005 1.1.1 = PEN 214 PT-ITU-T 6.711 SSRC-0x60542655, Seq-16572, Time-960 


7 0.000006 vL. | RTSP Sen PT=ITU-T G.711 SSRC=0x60542655, Seq-16573, Time-1120 


Frame 1: 214 bytes on wire (1712 bits), 214 by SCTP 

Ethernet II, Src: Send 00 (20:53:45:4e:44:00), SMPP Operations 
Internet Protocol Version 4, Src: 1.1.1.1, Dst 
User Datagram Protocol, Src Port: 4000, Dst Po 
Real-Time Transport Protocol 


UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 
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SRTP Decrypt: Analysing RTP Streams 


4 Wireshark - RTP Stream Analysis - import 20180320032955 a10724 


1.1.1.1:4000 > 


2.2.2.2:17786 Forward Reverse | Graph 


Acket Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 

520 17086 0.00 20.00 10379.48 832.00 
SSRC 0x60542655 519 17085 0.00 20.00 10359.48 830.40 
Max Delta 0.00 ms @ 11 518 17084 0.00 20.00 1033948 828.80 
Max Jitter 20.00 ms 517 17083 0.00 20.00 10319.48 827.20 
Mean Jitter 19.96 ms 516 17082 0.00 20.00 10299.49 825.60 
Macon ARE 515 17081 0.00 2000 1027949 82400 
RTP Packets 520 
Expected 520 514 17080 0.00 20.00 10259.49 822.40 
Lost 0 (0.00 96) 513 17079 0.00 20.00 1023949 820.80 
SeqErrs 0 512 17078 0.00 20.00 10219.49 819.20 
Startat 0.000000 s 01 511 17077 0.00 20.00 10199.49 817.60 
Duration 0.00s 510 17076 0.00 20.00 10179.49 816.00 
Ses Merone 509 17075 0.00 2000 1015949 81440 
Freq Drift 160000000 Hz (1999900.00 96) 

508 17074 0.00 20.00 10139.49 812.80 

Reversë 507 17073 0.00 20.00 10119.49 811.20 
506 17072 0.00 20.00 10099.50 809.60 
SSRC 0x00000000 505 17071 0.00 20.00 10079.50 808.00 
Max Delta 0.00 ms @ 0 504 17070 0.00 20.00 10059.50 806.40 
absidi sedis 503 17069 0.00 2000 10039.50 804.80 
Mean Jitter 0.00 ms 
ο, E 502 17068 0.00 20.00 10019.50 803.20 
RTP Packets 0 501 17067 0.00 20.00 9999.50 801.60 
Expected 1 500 17066 0.00 20.00 9979.50 800.00 
Lost 1 (100.00 96) 499 17065 0.00 20.00 9959.50 798.40 
SeqErrs — 0 498 17064 0.00 20.00 9939.50 796.80 
ΕΗ ΞΗΡΗ 497 17063 0.00 2000 991950 79520 
Duration 0.00 s 
da ise E 496 17062 0.00 20.00 9899.50 793.60 
Freq Drift — 1 Hz (0.00 %) 495 17061 0.00 20.00 9879.51 792.00 
494 17060 0.00 20.00 9859.51 790.40 
493 17059 0.00 20.00 9839.51 788.80 


Forward 


& 


Dm m ch X eS ee SO en ἈΚ ee MS Se EI 


1 streams found. 


D Play Streams Help 
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SRTP Decrypt: Playing Decrypted Call 


Wireshark - RTP Player 


Jitter Drops 
i Wrong Timestamps 


A Inserted Silence 


-0.069 -0.066 -0.063 -0.06 -0.057 -0.054 -0.051 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 
13.171 4000 22:22 17786 0x60542655 4294967295 520 0 - 0.000519 (0.000519) 8000 g/11U 


& E Output Device: Speakers (Realtek High Definition Audio) ~ 


Jitter Buffer: 50 $ ] Playback Timing: Jitter Buffer Time of Day 
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Libsrtp 


* |mplementation of the Secure Real-time Transport Protocol (SRTP) 


* Can decipher SRTP packets 
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Libsrtp 


* GitHub: 


ESA GitHub - cisco/libsrtp: Li x Y ἳ 


€ Œ 4 GitHub, Inc. [US] | https://github.com/cisco/libsrtp 


O Features Business Explore Marketplace Pricing This repository Sign in or Sign up 


o / libsrtr © Watch X Star 386 Y Fork 198 


<> Code Issues 12 Pull requests 2 Projects 0 Insights 


Library for SRTP (Secure Realtime Transport Protocol) 


(p 1,039 commits P 8 branches © 16 releases 42 48 contributors 


Branch: master + Find file Clone or download + 


pabuhler Merge pull request #404 from pabuhler/add-extern-to-global-variables --- Latest commit 1447dfb 13 days agc 
Merge pull request #404 from pabuhler/add-extern-to-global-variables 13 days ago 
doc/Doxyfile.in: Remove rtp.h 11 months ago 
Merge pull request 4356 from thisisG/format include getopt s h 6 months ago 
Conform to clang-format in srtp get session keys 13 days agc 


Ensure returned trailer length is sufficient a month ago 


clang-format aes gcm ossl.c 7 months ago 


Libsrtp: Installation 


* Cloning 
root@PentesterAcademy:/work# git clone https://github.com/cisco/libsrtp.git 
Cloning into 'libsrtp'... 
remote: Counting objects: 6495, done. 
remote: Total 6495 (delta 0), reused 0 (delta 0), pack-reused 6495 


Receiving objects: 100% (6495/6495), 5.28 MiB | 126.00 KiB/s, done. 
Resolving deltas: 100% (4442/4442), done. 
root@PentesterAcademy:/work# cd libsrtp/ 
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Libsrtp: Installation 


* Configure 

root@PentesterAcademy:/work/libsrtp# ./configure 
τος πες... gcc 
whether the C compiler works... yes 
for C compiler default output file name... a.out 
for suffix of executables... 
whether we are cross compiling... no 
for suffix of object files... o 
whether we are using the GNU C compiler... yes 
whether gcc accepts -g... yes 
for gcc option to accept ISO C89... none needed 
how to run the C preprocessor... gcc -E 
τος SI. BF 
the archiver (ar) interface... ar 
for ranlib... ranlib 
for a BSD-compatible install... /usr/bin/install -c 
for a sed that does not truncate output... /bin/sed 
for grep that handles long lines and -e... /bin/grep 


©PentesterAcademy.com 


Libsrtp: Installation 


* Make 


root@PentesterAcademy: /work/Libsrtp# make 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
Oll-loops -c srtp/srtp.c -o srtp/srtp.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c srtp/ekt.c -o srtp/ekt.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/cipher.c -o crypto/cipher/cipher.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/null cipher.c -o crypto/cipher/null cipher.o 
gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes icm.c -o crypto/cipher/aes icm.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/cipher/aes.c -o crypto/cipher/aes.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/null auth.c -o crypto/hash/null auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/auth.c -o crypto/hash/auth.o 

gcc -DHAVE CONFIG H -Icrypto/include -I./include -I./crypto/include -fPIC 
oll-loops -c crypto/hash/hmac.c -o crypto/hash/hmac.o 
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Libsrtp: Ready 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -h 
Using libsrtp2 2.2.0-pre [0x2020000] 
./rtp decoder [-d <debug>]* [[-k][-b] «key» [-a][-e]] 
./rtp decoder -1 
use message authentication 
«key size» use encryption (use 128 or 256 for key size) 
Use AES-GCM mode (must be used with -e) 
«tag size» Tag size to use (in GCM mode use 8 or 16) 
«key» sets the srtp master key given in hexadecimal 
«key» sets the srtp master key given in base64 
list debug modules 
"«pcap filter»" to filter only the desired SRTP packets 
«debug» turn on debugging for module «debug» 
"«srtp-crypto-suite»" to set both key and tag size based 
on RFC4568-style crypto suite specification 
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Libsrtp: SRTP key 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


Am LORNA Ses SARA E 


Expression... + to 


Time Source Destination Protocol Length Ta Info 
128 27.128753 192.168.20.132 192.168.20.130 SIP/SDP 278 Request: INVITE sip:2222@192.168.20.130 | 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:22220192.168.20.1:60168;ob | 
9.293203 | |. 192168201350  STP/SDP ado 200 0 A Ευ ΠΚΕ 


Mir ri E DNS nd ing Mer PATCR IE ETF | 


178 29.314263 192.168.20.130 92.168.20.132  SIP/SDP 1131 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): e 
Owner/Creator, Session Id (0): - 3730471310 3730471311 IN IP4 192.168.5.114 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): 0 0 
Session Attribute (a): X-nat:e 
» Media Description, name and address (m): audio 4000 RTP/SAVP @ 101 
Connection Information (c): IN IP4 192.168.5.114 
Bandwidth Information (b): TIAS:64000 
> Media Attribute (a): rtcp:4001 IN IP4 192.168.5.114 
Media Attribute (a): sendrecv 
Media Attribute (a): rtpmap:@ PCMU/8000 
> Media Attribute (a): rtpmap:101 telephone-event/8000 
> Media Attribute (a): fmtp:101 0-16 
> Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 


©PentesterAcademy.com 


Libsrtp: Copying SRTP key 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 
Oe HEE | = Ce 


Expression... + torrent — cleanup own : 


Source Destination Protocol Length Ta Info 
128 27.128753 192.168.20. 192.168.20.130 SIP/SDP 278 Request: INVITE sip:2222@192.168.20.130 | 
131 27.301506 192.168.20. 192.168.20.1 SIP/SDP 1174 Request: INVITE sip:22220192.168.20.1:60168;ob | 
173 29.293203 192.168.20.1 192.168.20.130  SIP/SDP 1101 Status: 200 OK | 
192.168.20.130 192.168.20.132  SIP/SDP 1131 Status: 200 OK | 


| Expand Subtrees Shift+Right 
Expand All Ctrl Right 


Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
Message Header Apply as Filter 
4 Message Body 
4 Session Description Protocol 
Session Description Protocol Version (v): e 
Owner/Creator, Session Id (0): - 3730471310 3730471311 IN IP4 192.168.5.114 
Session Name (s): pjmedia 
Bandwidth Information (b): AS:84 
Time Description, active time (t): © 0 
Session Attribute (a): X-nat:0 All Visible Selected Tree Items 
Media Description, name and address (m): audio 4000 RTP/SAVP Description Ctrl+Alt+Shift+D Export Packet Bytes... Ctrl+H 
Connection Information (c): IN IP4 192.168.5.114 | Field Name Ctrl+Alt+Shift+F 
Bandwidth Information (b): TIAS:64000 
Media Attribute (a): rtcp:4001 IN IP4 192.168.5.114 Filter Field Reference 
Media Attribute (a): sendrecv As Filter Ctrl+Shift+C Protocol Preferences 
Media Attribute (a): rtpmap:@ PCMU/8000 
Media Attribute (a): rtpmap:101 telephone-event/8000 Bytes as Hex + ASCII Dump 
Media Attribute (a): fmtp:101 0-16 ..85 Hex Dump Go to Linked Packet 
Media Attribute (a): ssrc:965767637 cname:66bf37b000942b74 as Printable Text Show Linked Packet in New Window 
Attribute : crypto:1 AES CM 128 HMAC SHA1 80 inline: rasta Hex Steam 


Collapse All Ctrl+Left 


Apply as Column 


Prepare a Filter 
Conversation Filter 
Colorize with Filter 


Follow 
All Visible Items Ctrl+Alt+Shift+A 
Show Packet Bytes... 


Wiki Protocol Page 


Decode As... 
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Libsrtp: Filtering for one sender 


Expand Subtrees Shift Right 
File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help Expand All Ctrl+Right 


A m 5G ΝΟ SS SEBBER * E Aa α à E Collapse All Ctrl Left 


sdp i Ν Apply as Column ”| Expression... «+ torrent 


Time Source Destination Protocol 
128 27.128753 192.168.20.132 192.168.20.130 SIP/SDP 
131 27.301506 192.168.20.130 192.168.20.1 SIP/SDP jé sion: ot Selectét} 
_173 29.293203 192.168.20.1 192.168.20.130  SIP/sDp | Conversation Filter ο ea 


4 178 29.314263 192.168.20.130 192.168.20.132  SIP/SDP Colorize with Filter ...or Selected 


4 Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 Follow ..and not Selected 

0100 .... = Version: 4 or not Selected 
. 0101 = Header Length: 20 bytes (5) ORY 

Differentiated Services Field: @xe@ (DSCP: CSØ, ECN: Not-ECT) Show Packet Bytes... 
Total Length: 1087 Export Packet Bytes... Ctrl -- H 
Identification: 0x14d4 (5332) 
Flags: 0x00 Wiki Protocol Page 
Fragment offset: 0 Filter Field Reference 
Time to live: 128 Protocol Preferences 
Protocol: UDP (17) 
Header checksum: 0x7806 [validation disabled] Decode As... 


Header checksum status: Unverified] Go to Linked Packet 
Show Linked Packet in New Window 


Destination: 192.168.20.130 
[Source GeoIP: Unknown] 
[Destination GeoIP: Unknown] 
User Datagram Protocol, Src Port: 60168, Dst Port: 5060 
4 Session Initiation Protocol (200) 
Status-Line: SIP/2.0 200 OK 
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Libsrtp: Filtering single RTP stream 


á Normal_Call_two_parties.pcap 
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


A m O L κ ο qe» EEE: 


e 


mi 


mi 


Expression... + torrent cleanup_own_ssid  cleanup_probe 


Time Destination Protocol Length Ta Info ^| 

177 29.311833 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25650, Time=160, Mark 
189 29.332471 192.168.20.130  SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq=25651, Time=320 
193 29.352961 192.168.20.130  SRTP 224 midia] SSRC=0x399071D5, Seq-25652, Time-480 
197 29.372665 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq=25653, Time=640 
204 29.393539 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25654, Time-800 
208 29.413260 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25655, Time-960 
212 29.434077 192.168.20.130  SRTP 224 PIZEIU-T SSRC-0x399071D5, Seq-25656, Time=1120 
216 29.453993 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq=25657, Time-1280 
220 29.474710 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25658, Time=1440 
225 29.494627 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25659, Time=1600 
230 29.515344 192.168.20.130  SRTP 224 PIZITU-T SSRC-0x399071D5, Seq-25660, Time-1760 
234 29.535085 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq=25661, Time-1920 
238 29.555804 192.168.20.130 SRTP 224 PI=ITU-T SSRC=0x399071D5, Seq-25662, Time-2080 
242 29.575801 192.168.20.130 SRTP 224 PT=ITU-T SSRC=0x399071D5, Seq-25663, Time-2240 
247 29.596513 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq-25664, Time-2400 
251 29.616324 192.168.20.130  SRTP 224 PEAR SSRC-0x399071D5, Seq-25665, Time-2560 
255 29.636923 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq=25666, Time-2720 
260 29.657564 92.168.20.1 192.168.20.130  SRTP 224 PT=ITU-T SSRC-0x399071D5, Seq-25667, Time-2880 

Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 

Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


zd 
e! 
-ᾱ 
SL 
.1 
sd 
TL 
SL 
na 
-ᾱ 
SL 
Se! 
mel 
SL 
sd 
«1 
a 


GO GG OO OO OO OC GG c c c GG ADA 
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Libsrtp: Exporting filtered traffic 


P | Normal Call two parties.pcap 


File | Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help 


Open Ctrl+O 


Open Recent 


Expression. E 


torrent 


Merge... 
Te Info 


PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 


Length 
SRTP 224 
SRTP 224 
SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 

SRTP 


Destination Protocol 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
192.168. 
Quit Ctri+Q 192.168. SRTP 

A «29.4 192.168. SRTP 224 


Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

Real-Time Transport Protocol 


Import from Hex Dump... 


Close Ctrl+W 


Save Ctrl+S 


Save As... Ctrl+Shift+S 


File Set 


Export Packet Bytes... 
Export PDUs to File... 
Export SSL Session Keys... 
Export Objects 


Print... Ctrl+P 


ot 
SE 
nu! 
SL 
sa 
x 
.1 
aE! 
2 
SL 
A 
na 
x 
ad 
ail 
on 
aa 
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i00 ó C) CÓ CÓ 0 0 0 0 0 0 0 0 0 0 ADA 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC-0x399071D5, 


Seq-25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seq=25654, 
Seq=25655, 
Seq=25656, 
Seq=25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seq=25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 
Seg=25667, 


Time=160, Mark 


Time=320 

Time=480 

Time=640 

Time=800 

Time-960 

Time-1120 
Time=1280 
Time=1440 
Time=1600 
Time=1760 
Time=1920 
Time=2080 
Time=2240 
Time=2400 
Time=2560 
Time-2720 
Time=2880 


cleanup. own. ssid 


Libsrtp: Saving exported traffic 


Savein: | |. SIP + SRTP 


P z Name 
ord [3] Call to VoiceMail.pcap 
Recent places | [68] Conference Call three parties.pcap 


[13 Normal Call two parties.pcap 


Desktop 


= 


Libraries 


Save as type: ¡Wireshark/tcpdump/... - pcap (*.dmp.gz;*.dmp;*.c v 


Compress with gzip 


Packet Range 


(6) All packets 

(O) Selected packet 
Marked packets 
First to last marked 


( Range: 


Remove Ignored packets 
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Libsrtp: Command 


* /rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7IwLqlzqE * < 
Normal Call two parties Exported RTP.pcap 


° -a Use message authentication 
° + Authentication tag size (80 bits so 10 bytes) 
5 -e Length of encryption key. In our case, AES CM 128 HMAC_SHA1 80 is cipher. 


Hence, 128 bit key is used. 


e -b SRTP key in ASCII format 
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Libsrtp: Command output 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3HtaHCSsB8WACeRBst9f7lwLqlzqE * < ../../Normal Call two part 


ies Exported RTP.pcap 

Using libsrtp2 2.2.0-pre [0x2020000] 

security services: confidentiality message authentication 

setting tag len 10 | 

set master key/salt to dacb6f69b05c5d77f71ed687692b01f1/600279106cb7d7fb9702ea973a84 


Starting decoder 
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Libsrtp: text2pcap help 


root@PentesterAcademy:-# text2pcap 
Must specify input and output μι. 


Usage: text2pcap [options] <infile> «outfile» 


here <infile> specifies input filename (use - for standard input) 
«outfile» specifies output filename (use - for standard output) 


Input: 
-ο hex|oct|dec 


-t «timefmt» 


parse offsets as (h)ex, (o)ctal or (d)ecimal; 

default is hex. 

treat the text before the packet as a date/time code; 
the specified argument is a format string of the sort 
supported by strptime. 

Example: The time "10:15:14.5476" has the format code 
"SH: SM: 5S." 

NOTE: The subsecond component delimiter, '.', must be 
given, but no pattern is required; the remaining 
number is assumed to be fractions of a second. 

NOTE: Date/time fields from the current date/time are 
used as the default for unspecified fields. 

the text before the packet starts with an I or an 0, 
indicating that the packet is inbound or outbound. 
This is only stored if the output format is PCAP-NG. 
enable ASCII text dump identification. 

The start of the ASCII text dump can be identified 
and excluded from the packet data, even if it looks 
like a HEX dump. 

NOTE: Do not enable it if the input file does not 
contain the ASCII text dump. 


Libsrtp: text2pcap 


text2pcap -t "96M:96S." -u 10000,10000 - - > ./Normal Call two parties Decrypted.pcap 


-t Treat the text before the packet as a date/time code 
%M:%S Time format 


-u Prepend dummy UDP header with specified source and destination ports 
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Libsrtp: Decrypting RTP traffic 


root@PentesterAcademy:/work/libsrtp/test# ./rtp decoder -a -t 10 -e 128 -b 2stvabBcXXf3Ht 


aHCSsB8WACeRBst9f7lwLqlzqE + < ./Normal Call two parties Exported RTP.pcap | text2pcap 
t "WH:8S." -u 19096, 19009 - - > j/Normal-Call^two parties Decrypted.peap 


Input from: Standard input 
Output to: Standard output 
Output format: PCAP 
Generate dummy Ethernet header: Protocol: 0x800 
Generate dummy IP header: Protocol: 17 
Generate dummy UDP header: Source port: 10000. Dest port: 10000 
Using libsrtp2 2.2.0-pre [0x2020000] 
j : confidentiality message authentication 


set master key/salt to dacb6f69b05c5d77f71ed687092b01f1/600279106cb7d7fb9702ea973a84 


Starting decoder 
bytes. 
bytes. 
bytes. 
bytes. 
bytes. 
bytes. 
bytes. 
packet bytes. 
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Libsrtp: Decrypted traffic 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


4ncorinRBASesEtAHJE CARE 


a Apply a display filter ... <Ctrl-/> 


Time Destination Length Ta Info 

. 000000 10. 214 10000 
.020638 10. 214 10000 
.041128 10. 214 10000 
.060832 10. 214 10000 
.081706 10. 214 10000 
.101427 10. 214 10000 
.122244 10° 214 10000 
.142160 10. 214 10000 
.162877 10. 214 10000 
.182794 10. 214 10000 
.203511 10. 214 10000 
:223252 1e. 214 10000 
.243971 1e. 214 10000 
.263968 10. 214 10000 
.284680 10. 214 10000 
.304491 10. 214 10000 
.325090 10. 214 10000 
.345731 10. 214 10000 


Frame 1: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 

Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02:02:02) 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 

User Datagram Protocol, Src Port: 10000, Dst Port: 10000 

Data (172 bytes) 


N 
N 


NNNNNNNNNNNNNN » ο 


Lenz172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 
Len=172 


© ο ου WN FR 


EH oH à bb BE 
συ PB W ND HB O 


e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


Hp 
E 
|] H H H HM H H i H d dH dH H HB d dH 
HP H HB H HB HB H H PPP i B H B BiB 
H à BP ο ORB B m Hm RB HB f B B HB B B PIP 
N NON D ON N ND ND ON ND NOS ON ON ON N 
SMS ON ND NN ND ND ND N ND D N ND D ND ON DIN 


YO Y v OV y  ν y y y y y ἡ y y y yy 


Hs 
co 
o 
5 
Hs 
N 
N 
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Libsrtp: Decode as 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools ^ Help 
4ncorinRBSesEtaBElcaa E 


A Apply a display filter ... <Ctrl-/> Expression... 


Time Source Destination Protocol Length Ta Info 

06.000000 10.1.1.1 10.2.2.2 214 10000 > 10000 Len=172 
0.020638 10.1.1.1 10-2.2.2 214 10000 > 10000 Len-172 
0.041128 10:1:1:1 10.2.2:2 214 Len=172 
0.060832 10.1.1:1 19:2:2:2 Mark/Unmark Packet Ctrl+M Len=172 
0.081706 1e. 10. Ignore/Unignore Packet Ctrl+D Len=172 
0.101427 1e. 1e. Set/Unset Time Reference Ctrl «T Len-172 
BILE καὶ re. Time Shift... Ctrl+Shift+T mn 
P: LARR 19s à Packet Comment... Ctrl+Alt+C μας 
0.162877 1e. 1e. Len=172 
0.182794 10. 10. E Pocohed Name Len=172 
0.203511 1e. 10. Len=172 
0.223252 10. 1e. Apply as Filter Len=172 
0.243971 1e. 1e. Prepare a Filter Lenz172 
0.263968 10. 10. Len=172 
0.284680 10. 10. Len=172 
0.304491 1e. 1e. Lenz172 
0.325090 1e. 10. Len=172 
18 0.345731 10.1.1. 10.2.2. Follow Len=172 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (4 
Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 
Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 Protocol Preferences 
User Datagram Protocol, Src Port: 10000, Dst Port: 10000 
Data (172 bytes) 


oon nau 5 WN 5 


|! HH H S mB 
AWN EO 


Conversation Filter 


pun 
ul 


Colorize Conversation 
SCTP 


Hd 
o 


1. 
1:1: 
d 1- 
11: 
α 
115 
1:1. 
121: 
ai: 
1:1: 
1:1. 
bas 
121: 


1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 


NNNNNNNNNNN ND N 
NNNNNNNNNNN ON N 


NNNNNNNNNNNN DN ο 


e 
N 


Copy 


Show Packet in New Window 
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Libsrtp: Decode as RTP 


Default ^ Current 


x || se || Gi | 
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Libsrtp: Decrypted RTP traffic 


Normal Call two parties Decrypted.pcap 


Tools 


4 


File 
4 = 


Edit Go Wireless 


aaa E 


View Statistics 


O | à 


Capture  Analyze Telephony Help 


κ Gi Led + 


ΙΙ 


PUT 


Expression... + torrent cleanup own 4 


Time 

. 000000 
.020638 
.041128 
.060832 
.081706 
.101427 
.122244 
.142160 
.162877 
.182794 
.203511 
.223252 
.243971 
.263968 
.284680 
.304491 
.325090 
.345731 —— 


ο © Jun 5 WN P 


PRPPRRPREB 
Au δω να ο 


e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


e 5 
œ N 
© 


m 
Hn 


H H HP HB H H PPP PP O HB BB] Bb 


PRPPRPRPRPRPRPRPP RPP PRP GP BP BR 


H HH HH H H H H H H BP HB HB HB BP Bb 


Destination 


1e. 
1e. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 
10. 


2. 


IN 
N 


NNNNNNNNNNNNN WN Nin 


2: 


N N N N N NN N N N N NN NN Nin 


IN N hM NO N PN N PN N PN N PN PN PN N NIN N 


Length 
214 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 


Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02: 


Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 


User Datagram Protocol, Src Port: 10000, Dst Port: 10000 


Real-Time Transport Protocol 
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Ta Info 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 


02:02) 


DA DADAAAADAAAAADAA AAD 0 
| 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC=0x399071D5, 
SSRC=0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRC-0x399071D5, 


Seq=25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seq=25654, 
Seq=25655, 
Seq=25656, 
Seq=25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seq-25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 


Seq=25667, 


Time=160, Mark 


Time=320 

Time=480 

Time-640 

Time-800 

Time=960 

Time=1120 
Time=1280 
Time=1440 
Time=1600 
Time-1760 
Time=1920 
Time-2080 
Time=2240 
Time=2400 
Time-2560 
Time=2720 
Time=2880 


Libsrtp: Analysing RTP Streams 


A 


File 


Normal Call two parties Decrypted.pcap 


Edit View | Go Capture Analyze Statistics | Telephony | Wireless Tools Help 


A m 


Ὁ On AM A WN HB 


PPPPRPPRPRP 
NOU δω να © 


18 


© | à 


Time 


e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 
e 


. 000000 
.020638 
.041128 
.060832 
.081706 
.101427 
.122244 
.142160 
.162877 
.182794 
.203511 
.223252 
.243971 
.263968 
.284680 
.304491 
.325090 
e. 


345731 


ee q © = 


= be 


PRPRPPRPPRPRPPRPRPRPPRPPRP RIP 


PRPRPPPRPPRPRPPRPPRPPRPRPPRPRP Ek BP 
HP H H H H H H H HB PP PP O PA BP 


i: 


κας λα ΠΩ 


VoIP Calls 

ANSI 

GSM 

ΙΑΧ2 Stream Analysis 
ISUP Messages 

LTE 

MTP3 


RTSP 

SCTP 

SMPP Operations 

UCP Messages 

H.225 

SIP Flows 

SIP Statistics 

WAP-WSP Packet Counter 


| 


| ν | Expression... + torrent  cleanup_ own ssi 


Ta Info 


Length 
214 
214 
214 
214 


10.2.2.2 
10.2.2.2 


Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) 


Ethernet II, Src: 0a:01:01:01:01:01 (0a:01:01:01:01:01), Dst: 0a:02:02:02:02:02 (0a:02:02:02: 


Internet Protocol Version 4, Src: 10.1.1.1, Dst: 10.2.2.2 
User Datagram Protocol, Src Port: 10000, Dst Port: 10000 
Real-Time Transport Protocol 
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PT=ITU-T 
PT=ITU-T 
PT=ITU-T 


PT=ITU-T 
PT=ITU-T 
PT=ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 
PT-ITU-T 


02:02) 


OO 0 


2:711 
“FAL 
IT 
shad 
AL 
27 
STI 
HAT 
2711 
TEKI 
.711 
JA 
2711 
.711 
“211 
41 
2:711 
SIA 


PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 
PCMU, 


SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 
SSRCz0x399071D5, 


Seq=25650, 
Seq=25651, 
Seq=25652, 
Seq=25653, 
Seg=25654, 
Seq=25655, 
Seq=25656, 
Seq=25657, 
Seq=25658, 
Seq=25659, 
Seq-25660, 
Seq=25661, 
Seq=25662, 
Seq=25663, 
Seq=25664, 
Seq=25665, 
Seq=25666, 


Seq=25667, 


Time=160, Mark 


Time-320 

Time-480 

Time-640 

Time-800 

Time-960 

Time=1120 
Time=1280 
Time=1440 
Time=1600 
Time=1760 
Time-1920 
Time-2080 
Time-2240 
Time-2400 
Time-2560 
Time=2720 
Time=2880 


Libsrtp: Analysing RTP Streams 


10.1.1.1:10000 — 


10.2.2.2:10000 Forward Reverse | Graph 


(χκει Sequence Delta (ms) Jitter (ms) Skew Bandwidth Marker Status 
520 26169 19.59 0.82 -1.83 81.60 / 
SSRC 0x399071d5 519 26168 20.50 0.84 -2.24 81.60 
Max Delta 31.03 ms @ 220 518 26167 20.60 0.87 -174 81.60 
Max Jitter 2.25 ms 517 26166 20.50 0.89 -1.14 81.60 
Mean Jitter 0.80 ms 516 26165 19.67 0.91 -0.63 81.60 
a Hus 515 26164 2045 095 -096 81.60 

RTP Packets 520 
Expected 520 514 26163 20.71 0.98 -0.50 81.60 
Lost 0 (0.00 96) 513 26162 20.51 100 021 81.60 
Seq Errs 0 512 26161 19.25 103 071 81.60 
Startat —— 0.000000s O 1 511 26160 20.34 105 -0.04 81.60 
Duration — 10.385 510 26159 20.64 110 031 81.60 
greiui ὑπο 509 26158 10.07 113 095 81.60 
Freq Drift 8000 Hz (0.00 96) 

508 26157 20.54 0.54 -8.99 80.00 
— 507 26156 20.45 0.54 -845 80.00 
506 26155 20.31 0.55 -800 80.00 
SSRC 0x00000000 505 26154 20.57 0.57 -769 80.00 
Max Delta 0.00 ms @ 0 504 26153 20.48 057 -712 80.00 
MM em 503 26152 19.65 057 -664 80.00 
Mean Jitter 0.00 ms 
μμ παι 502 26151 20.49 0.59 -6.99 80.00 
RTP Packets 0 501 26150 20.44 0.59 -6.50 80.00 
Expected 1 500 26149 20.50 0.60 -6.05 80.00 
Lost 1 (100.00 %) 499. 26148 20.52 0.61 -5.55 80.00 
Seq Errs 0 498 26147 19.61 0.62 -5.03 80.00 
DNE ο 497 26146 20.60 063 -542 80.00 
Duration 0.00 s 
η. 496 26145 20.37 063 -4.82 80.00 
Freq Drift — 1 Hz (0.00 96) 495 26144 20.54 0.65 -445 80.00 
494 26143 20.46 0.66 -3.91 80.00 
493 26142 19.58 0.67 -345 81.60 


Forward 


ESS SSSR SR λα ο SSSR ss 


1 streams found. 
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Libsrtp: Playing decrypted call 


1.5 4.5 75 


Source Address Source Port Destination Address Destination Port  SSRC Setup Frame Packets Time Span (s) Sample Rate (Hz) Payloads 
10.1.1.1 10000 10.2.2.2 10000 0x399071d5 4294967295 520 0-10.4(10.4) 8000 g711U 


[2] Output Device: Speakers (Realtek High Definition Audio) τ 


Jitter Buffer: 50 = Playback Timing: Jitter Buffer [_] Time of Day 
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Other Important Parts? 


* DTMF 


* Messages (SMS) 


* Exporting Call 
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RIPDIMF 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 
420/11 5586/8239 |-ᾱ 8 8 E 


el rtp ν | Expression... + torrent  ceanup own ssid cleanup probe 


Time Source Destination Protocol Length Ta Info ^ 
2594 58.778242 192.168.20. 192.168. RTP 214  PT-ITU-T 6.711 PCMU, SSRC=@x4BDB6E8A, Seq-21265, Time-97280 
2595 58.792695 192.168.280. 192.168.20. RTP 214  PT-ITU-T G.711 PCMU, SSRC-0x294823, Seq-12503, Time=97920 
2596 58.793139 192.168.280. 192.168.290. RTP 214  PT-ITU-T 6.711 PCMU, SSRC-0x71781F5A, Seq=1568, Time-97920 
2597 58.798669 192.168.20. 192.168.20. 58 Payload type-RTP Event, DTMF One 1 
2598 58.799694 192.168.20. 192.168.20. i 60 Payload type=RTP Event, DTMF One 1 
2599 58.799754 192.168.260. 192.168.260. 68 Payload type=RTP Event, DTMF One 1 
2600 58.813964 192.168.260. 192.168.260. RTP PT=ITU-T G.711 PCMU, SSRC=0x294823, Seq-12504, Time-98080 
2601 58.814147 192.168.20. 192.168.20.1 | RTP EVENT 60  Payload type-RTP Event, DTMF One 1 
2602 58.814239 192.168.260. 192.168.260. RTP PT=ITU-T 6.711 PCMU, SSRC-0x71781F5A, Seq=1569, Time-98080 
2603 58.818706 192.168.280. 192.168.20. RTP EVENT 58 Payload type-RTP Event, DTMF One 1 


Frame 2597: 58 bytes on wire (464 bits), 58 bytes captured (464 bits) 

Ethernet II, Src: Vmware 23:37:1f (00:50:56:23:37:1f), Dst: Vmware ab:b1:84 (00:0c:29:ab:b1:84) 
Internet Protocol Version 4, Src: 192.168.20.136, Dst: 192.168.20.130 

User Datagram Protocol, Src Port: 4000, Dst Port: 16290 

Real-Time Transport Protocol 

RFC 2833 RTP Event 


End of Event: False 
= Reserved: False 
= Volume: 10 
Event Duration: 160 
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SIP Message 


Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


κ 9|-|[ἑ| 4 6 ει ΤῈ 


Source Destination Protocol Length Ta Info 
60 33.429572 192.168.20.130 192.168.20.136 SIP Status: 202 Accepted | 


61 33.429573 192.168.20.1 192.168.20.1 SIP 


+ torrent cleanup own s 


62 33.430944 | 192.168.20.1 Ἢ 192.168.20.130 SIP 


Frame 61: 513 bytes on wire (4104 bits), 513 bytes captured (4104 bits) 
Ethernet II, Src: Vmware ab:b1:84 (00:0c:29:ab:b1:84), Dst: Vmware c0:00:08 (00:50:56:c0:00:08) 
Internet Protocol Version 4, Src: 192.168.20.130, Dst: 192.168.20.1 
User Datagram Protocol, Src Port: 5160, Dst Port: 63825 
Session Initiation Protocol (MESSAGE) 

Request-Line: MESSAGE sip:22220192.168.20.1:63825;ob SIP/2.0 
4 Message Header 

> Via: SIP/2.0/UDP 192.168.20.130:5160;branch=z9hG4bK5a87574e 

Max-Forwards: 70 


> From: "Unknown" «sip:11110192.168.20.130:5160»;tag-as008f816f 
> Contact: <sip:11110192.168.20.130:5160> 
Call-ID: 073e1f452da9a1e17dbf255754c503a90[::1]:5160 
CSeq: 102 MESSAGE 
User-Agent: FPBX-13.0.194.2(13.12.1) 
Content-Type: text/plain;charset-UTF-8 
Content-Length: 29 
4 Message Body 
4 Line-based text data: text/plain 
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PCAP2WAV: Online service 


Ey [] PCAP2WAV RTP2WAV x Y 1 


<= C © Not secure | pcap2wav.xplico.org 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time « Only network files (CAP, PCAP) are allowed. 
Audio). « The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. e Uploaded files will be deleted automatically at 00:00 GMT. 
Try it now, drag & drop here the PCAP file. e You can drag & drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


| ^dd files... ll Delete 
|—————— d 
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PCAP2WAV: Uploading PCAP and Downloading Wav 


| À [ PCAP2WAV RTP2WAV x Y 1 


€ Œ © Not secure | pcap2wav.xplico.org 


PCAP2WAV converts RTP streams to WAV files 


Demo rules: 
Codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time * Only network files (CAP, PCAP) are allowed. 
Audio). « The maximum file size for uploads is 5 MB. 
PCAP2WAV is an Xplico customization and it runs in Linux. e Uploaded files will be deleted automatically at 00:00 GMT. 
Try it now, drag & drop here the PCAP file. e You can drag € drop files from your desktop on this webpage with Google 
This session is visible only from your IP (182.48.243.162). Chrome, Mozilla Firefox and Apple Safari. 


WAY Files: 


rtp O 1 1522092588 13080.pcap-media-1.wav 70920 


rtp O 2 1522092588 13080.pcap-media-1.wav 70280 


SIP+RTP call trace from caller to PBX.pcap 226.76 KB 
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PCAP2WAV: Wav in audacity 


A rtp O 1 1522092588 13080.pcap-media-1 
File Edit Select View Transport Tracks Generate Effect Analyze Help 


" a " IZ 7) 8 87-54-51 48 45-42 ~ click to Start Monitoring 18-15-12 9 6 3.0 KOE n e e > 


X 


Y Microphone (Realtek Hi: v | 2 (Stereo) Reci v 1) Microsoft Sound Mappe v 


Q €» 53K 4) 5754-51-48 4542-39-36 -33-30-27-24-21-18-15-12 9 5 -3 0 | Q ο) = 


0.0 1.0 2.0 3.0 


| X|rtp 0 1 152w! 


| Mute | Soo | 
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PCAP2WAV: Offline script 


* Bash script to extract the audio from VoIP calls 


* Outputs .wav file 


* Uses tshark and sox 


* GitHub: https://gist.github.com/avimar/d2e9d05e082ce273962d742eb9acac16 
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PCAP2WAV: Help 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh -h 
pcap2wav is a simple utility to make it easier to extract the audio from a pcap 
Dependencies: 

apt-get install -y tshark sox 

yum install wireshark sox 


Usage: 


pcap2wav [opts] filename.pcap [target filename] 


Script attempts to create a few files: a .«codec» file and a .wav file for each RTP stream 


It requires Tshark to be installed on the system. If a codec other than PCMA or PCMU 
is used then the script will attempt to use fs cli to decode and create a wav. 


Supported codecs: 

PCMU (G711 ulaw) 

PCMA (G711 Alaw) 

GSM 

G722 (requires fs encode) 

G729 (requres fs encode with mod com g729) 


Supported options: 
-Z Perform "clean and zip" - After converting to wav files the program will "clean up" 
by putting the wav files into a .tgz file and then removing 
the .wav and .«codec» files from the disk. 
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PCAP2WAV: Installing tshark and sox 


root ntesterAcademy: /work# 
Reading package lists... Done 
Building dependency tree 
Reading state information... Done 
tshark is already the newest version (2.4.4-1). 
The following additional packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 
Suggested packages: 
libsox-fmt-all 
The following NEW packages will be installed: 
libsox-fmt-alsa libsox-fmt-base libsox3 sox 
O upgraded, 4 newly installed, O to remove and 1826 not upgraded. 
Need to get 530 kB of archives. 
After this operation, 1,292 kB of additional disk space will be used. 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox3 amd64 14.4.2-3 [264 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-alsa amd64 14.4.2-3 [51.3 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 libsox-fmt-base amd64 14.4.2-3 [72.8 kB] 
.edu.tw/Linux/kali kali-rolling/main amd64 sox amd64 14.4.2-3 [142 kB] 
(84.7 kB/s) 
Selecting previously unselected package libsox3:amd64. 
(Reading database ... 336924 files and directories currently installed.) 
Preparing to unpack .../libsox3 14.4.2-3 amd64.deb ... 
Unpacking libsox3:amd64 (14.4.2-3) 
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PCAP2WAV: Running the tool 


root@PentesterAcademy:/work/pcap2wav# ./pcap2wav.sh SIP+RTP call trace from caller to PBX.pcap ./output call.wav 
Found SIP+RTP call trace from caller to PBX.pcap, working... 
Using ./output call.wav 
Checking SIP+RTP call trace from caller to PBX.pcap for RTP streams... 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 
[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/Captu 
reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Running as user "root" and group "root". This could be dangerous. 
tshark: Lua: Error during loading: 
[string "/usr/share/wireshark/init.lua"]:44: dofile has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/Captu 
reSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. 
Target files to create: 


and 

and 
Stream 1 ssrc / port: OxOfbbOc8d / 13080 
Stream 2 ssrc / port: Ox4fcef5la / 4004 


Extracting payloads 1 from OxOfbbOc8d... 
Extracting payloads 2 from Ox4fcef5la... 
Combining 2 streams into a single wav file for convenience 
tion specified - 1 i .«codec» and .wav files on system. 
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PCAP2WAV: Directory contents 


* Directory content before running the script 
root@PentesterAcademy:/work/pcap2wav# ls -l 
total 232 
-rwxr-xr-x 1 root root 5927 Mar 27 01:18 pcap2wav.sh 
1 root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 
@ 


Directory content after running the script 


root@PentesterAcademy: /work/pcap2wav# ls -l 

total 592 

-rw-r--r-- 1 root root 70240 Mar 27 03:57 output call.wav 1.PCMU 
-rw-r--r-- 1 root root 70298 Mar 27 03:57 

-rw-r--r-- 1 root root 760880 Mar 27 03:57 output call.wav 2.PCMU 
-rw-r--r-- 1 root root 70938 Mar 27 03:57 

-rw-r--r-- 1 root root 70938 Mar 27 03:57 

-rwxr-xr-x 1 root root 5927 Mar 27 01:18 pcap2wav.sh 


root root 226760 Mar 19 17:29 SIP+RTP call trace from caller to PBX.pcap 
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PCAP2WAV: Wav in audacity 


File Edit Select View Transport Tracks Generate Effect Analyze Help 

| IZ e| 5754-51-48 -45-42 -: Click to Start Monitoring 1-18-15-12 9 -6 30 OK IJ P] orit we QQ glial 
i 1 —d. i | 

Q, e »K| D -57-54-51-48 -45-42-39-36 33-30-27 -24-21 18 15.12 -9 5 30 OT ο) - lc 


>i δὲ 


Microphone (Realtek Hi: ν | 2 (Stereo) Reci v D) Microsoft Sound Mappe v 
) 1.0 2.0 3.0 
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VolPShark 


Collection of Wireshark plugins to 
— Decrypt VoIP calls 
— Export call audio 


— Overview of traffic (Extensions, SMS, DTMF) 
— Common VolP attacks 


GPL just like Wireshark 


Github: github.com/pentesteracademy/voipshark 
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VGIP 


VolPShark: Need? 


e Cumbersome and complex process 


* Multiple tools 


— Need compilation, hence time consuming to set-up 
— Not easy to use 


— User dependent, prone to mistakes 


* |nability to retain timestamp, IP addresses etc. during decryption 


* live traffic not supported 
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Why Wireshark Plugins? 


Plug and play 

Plugins can be 

— Lua scripts 

— Compiled C/C++ code 
Harnessing power of Wireshark 


OS independent 


Large user base 
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A 
WIRESHARK 


Chained 
Dissector 


Wireshark Plugins Types 


Dissector 


Post 
Dissector 


Plugin 


Listener/Tap 


Heuristic 
Dissector 
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Dissector 


* Tointerpret the payload data 


* Decodes its part of the protocol and passes the payload to next 


Example Dissection Flow 


Ethernet IP TCP HTTP Custom 
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Chained Dissector 


Takes data from previous dissector, processes its part and pass the payload to next 
dissector 


Example Dissection Flow 


Ethernet — Custom — IP TCP HTTP | 


κ Chained 


Dissector 
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VolPShark: Hook in Dissector Chain 


IP Layer 
Parser 


TCP/UDP SIP/SDP/RTP/SRTP 
Parser 
VolPShark 
Upper Layer 


Parser 


Wireshark 
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VolPShark: Overall Architecture 


New Stream 
Notifier 


Wireshark 
SIP 


Audio 
Reconstruction 
Engine 


RTP/SRTP 


Encoding 
Engine 


Decryption e — 
Er ias Correlation Extraction 
g Engine Engine 


Packet 


Flow Analysis 
Engine 


Reconstruction Audio File 
Engine 
Wireshark File System 
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VolPShark: Decryption Routines 


DISSECTOR 
SDP or SRTP TAE 


EXTRACTOR 


SSRC, SEQ NUM 
PREDEFINED 


LABELS SESSION 
SALT KEY 
IV CALCULATOR 
EXTRACTOR ENCRYPTED 
PAYLOAD 
KEY EXTRACTOR MEDIA PORTS IV 
SENDER IP 
RECEIVER IP 
DECRYPTOR 

KEY DERIVATOR Te RTP PAYLOAD 

SESSION ENCRYPTION 

ENCRYPTION KEY 


KEY 
SESSION SALT KEY 


0,2 
MASTER KEY 
MASTER SALT 


Plugins locations 


* Check Help » About Wireshark » Folders 


W 


Wireshark Authors 


Name 

"File" dialogs 

Temp 

Personal configuration 
Global configuration 
System 


Program 


indows 


Folders | Plugins 


Location 

C:\Users\Nishant\Deskto...iting Wireshark Plugin\ 
C:\Users\Nishant 
C:\Users\Nishant 
C:\Program Files\Wireshark 
C:\Program Files\Wireshark 
C:\Program Files\Wireshark 


Data\Local\Tem 


Data\Roaming\Wireshark 


Keyboard Shortcuts | 


License | 


Ubuntu 


About Wireshark 


Typical Files 
capture files 
untitled capture files 


dfilters, preferences, ethers, … 


dfilters, preferences, manuf, … 


ethers, ipxnets 


program files 


Extcap Plugins search path 
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Wireshark Authors Folders | Plugins License 


Name Folder 

"File" dialogs [root/ 

Temp [tmp 

Personal configuration /root/.wireshark/ 
Global configuration — /usr/share/wireshark 
System [etc 

Program {usr/bin 


Typical Files 

capture files 

untitled capture files 
"dfilters", "preferences", "eth 
"dfilters", "preferences", "ma 
"ethers", "ipxnets" 


program files 


Decrypting SRTP: SRTP Packets 


M Normal Call two parties.pcap es x 
File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 
402@ 1D ROC Sen EF. aga E 
pl rtp v | Expression... + 
No. Time Source Destination Protocol Length SSID Sequence number Info [| 
| 177 29.311833 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 
I 183 29.316949 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6! 
| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3' 
| 190 29.333063 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 
| 191 29.334585 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRCzOx3! 
I 194 29.353301 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 
| 195 29.354843 192.168.20.132 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT=ITU-T G.711 PCMU, SSRC=0x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT=ITU-T 6.711 PCMU, SSRC=0x3' 
| 198 29.372952 192.168.20.130 192.168.20.132 224 PT=ITU-T G.711 PCMU, SSRC=0x6 
| 100 9a 27C1CA ον ICO IA 199 4109 AO IA 190 994 DT-TTII-T NN 744 OFM CCD Avl | 
< > 


> Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

> Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
» Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

» User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

» Real-Time Transport Protocol 
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Decrypting SRTP: Enabling Auto Decryption 


A Wireshark - Preferences ? X 


UA ^| VolPShark 
| UASIP 


uuo, | 
| UBERTOOTH 
UCP 

UDP 
UDP-Lite 
UDPENCAP 
UDT 

UFTP 

UHD 

ULP 

UMA 
UNISTIM 
USB 

USB DFU 
USBIP 
UserLog 
VCDU 

VICP 

Vines FRP 
VITA 49 
VLAN 

VNC 
VOIPSHARK 
VP8 

VRRP Y 


Decrypting SRTP: Decrypted SRTP (RTP) 


File Edit View | Go Capture Analyze Statistics Telephony Wireless Tools Help 


“insornrRAlgesETABElcaaE 
μὴ Πρ Expression... ^ 
No. Time Source Destination Protocol Length SSID Sequence number Info [στ 
177 29.311833 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 
F 183 29.316949 192.168.20.130 192.168.20.132 224 PT-ITU-T G.711 PCMU, SSRC=0x6 
| 189 29.332471 192.168.20.1 192.168.20.130 224 PT=ITU-T G.711 PCMU, SSRC=0x3 
- 190 29.333063 192.168.20.130 192.168.20.132 224 PT-ITU-T G.711 PCMU, SSRC=0x6 
| 191 29.334585 192.168.20.132 192.168.20.130 224 PT-ITU-T 6.711 PCMU, SSRC=@x1 
192 29.334904 192.168.20.130 192.168.20.1 224 PT-ITU-T G.711 PCMU, SSRC=0x4 
193 29.352961 192.168.20.1 192.168.20.130 224 PT-ITU-T G.711 PCMU, SSRC=0x3 
| 194 29.353301 192.168.20.130 192.168.20.132 224 PT-ITU-T G.711 PCMU, SSRC=0x6 
| 195 29.354843 192.168.20.132 192.168.20.130 224 PT-ITU-T G.711 PCMU, SSRC=@x1 
196 29.355005 192.168.20.130 192.168.20.1 224 PT-ITU-T 6.711 PCMU, SSRC=0x4 
197 29.372665 192.168.20.1 192.168.20.130 224 PT-ITU-T G.711 PCMU, SSRC-ex3 
| 198 29.372952 192.168.20.130 192.168.20.132 224 PT-ITU-T 6.711 PCMU, SSRC=0x6 
| 108 906 27E1CcAa 109 ICO 8 429 109 41420 ο 1420 994 τι πι τοις Demi CCD Avi 
< > 


> Frame 177: 224 bytes on wire (1792 bits), 224 bytes captured (1792 bits) 

> Ethernet II, Src: Vmware c0:00:08 (00:50:56:c0:00:08), Dst: Vmware ff:65:9b (00:0c:29:ff:65:9b) 
» Internet Protocol Version 4, Src: 192.168.20.1, Dst: 192.168.20.130 

» User Datagram Protocol, Src Port: 4000, Dst Port: 16450 

» Real-Time Transport Protocol 
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VolPShark: Exporting Call Audio 


File Edit View Go Capture Analyze Statistics Telephony Wireless Tools | Help 
Am 4018 GW Ea |A aa Firewall ACL Rules 


Lua k 


| ΠΠ 
L2 
ke 


Π 


k | 


Time Destination 


F 177 29.311833 192.168.20.1 192.168.20.130 RTP cu o c ' 
183 29.316949 192.168.20.130 192.168.20.132 RTP VOIP Attack Detection 
| 189 29.332471 192.168.20.1 192.168.20.130 RTP 224 
190 29.333063 192.168.20.130 192.168.20.132 RTP 224 
| 191 29.334585 192.168.20.132 192.168.20.130 RTP 224 
192 29.334904 192.168.20.130 192.168.20.1 RTP 224 
193 29.352961 192.168.20.1 192.168.20.130 RTP 224 
| 194 29.353301 192.168.20.130 192.168.20.132 RTP 224 
| 195 29.354843 192.168.20.132 192.168.20.130 RTP 224 
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Exporting Call Audio: Specifying Location and File name 


4 Wireshark - Export Wav 


Location 


(Default: C:\Users\Nishant\Documents\) ο... 


File prefix 


(Default: PA-export) voip-call 
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Exporting Call Audio: Exported Streams 


A Wireshark - Export Wav 4 X 


Streams Found: 4 


Stream 1 Exported Successfully! 


Please Check: C:\Users\Nishant\Desktop Gip-ca11-192.168. 20.130-192.168.29. 1-0x4efa778b. aV 


Stream 2 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-call-192.168.20.130-192.168.20.132-0x60542655 .wav 


Stream 3 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-cal1-192.168.20.132-192.168.20.130-0x15bd2f81.wav 


Stream 4 Exported Successfully! 
Please Check: C:\Users\Nishant\Desktop\Voip-call1-192.168.20.1-192.168.20.130-0x399071d5.wav 
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VolPShark: SIP Information Gathering 


Go Capture Analyze Statistics Telephony Wireless Tools | Help 


m 


α Ε Ὁ Firewall ACL Rules | 
Lua + 


Time Destination 

29.311833 192.168.20.1 192.168.20.13 U-T G.7: 
29.316949 192.168.20.130 192.168.20.132 RTP VOIP Attack Detection t -T 6.7: 
29.332471 192.168.20.1 192.168.20.130 RTP 224 U-T 6.7: 
29.333063 192.168.20.130 192.168.20.132 RTP 224 U-T 67: 
29.334585 192.168.20.132 192.168.20.130 RTP 224 U-T G.7: 
29.334904 192.168.20.130 192.168.20.1 RTP 224 U-T G.7: 
29.352961 192.168.20.1 192.168.20.130 RTP 224 U-T G.7: 
29.353301 192.168.20.130 192.168.20.132 RTP 224 PT-ITU-T G.7: 
29.354843 192.168.20.132 192.168.20.130 RTP 224 PT-ITU-T G.7: 
29.355005 192.168.20.130 192.168.20.1 RTP 224 PT-ITU-T G.7: 
29.372665 192.168.20.1 192.168.20.130 RTP 224 PT-ITU-T G.7: 
29.372952 192.168.20.130 192.168.20.132 RTP 224 PT-ITU-T G.7: 
na. 27C1Cc0 tas ACO YA "7275 109 1€0 NA 4120 DTD 994 ου μη 6-77. 
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SIP Information Gathering : DTMF 


M Wireshark - DTMF Sequence ? X 


Call Source | Call Destination | Media Port DTMF Sequence 
4000 -> 15766 


192.168.20.130 | 192.1658.20.1 


Highlight: 
ECHN NN 
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SIP Information Gathering: Extensions 


M Wireshark - Extensions ? X 


Extension Username 


Highlight: | 
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SIP Information Gathering: RTP Packet Transfers 


^" Wireshark - RTP Packet Transfers 


Call ID 


|df715f19130d447a8d790f6c57c6a049 | 


192.168.20.130 | 192.168.20.132 | 


17786<->4000 


Packets Sent | 


Packets Recieved | 


Highlight: | 
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Reset 


Search 


Close 


SIP Information Gathering : SIP Auth Export 


M Wireshark - SIP Auth Export ? X 


| 192.168.200.132 | 192.168.280.130 
$sip$***1111*asterisk*REGISTER*sip*192.168.20.130**1522268723/ 
f872129e9c735809884cb64de141967e*1c109c4b8a064ef5ae277c4d7d07c4d1*00000001*auth*MD5*6a09af4b796d1b5ff376726f 
a9aelad9 


| 192.168.20.1 | 192.168.20.130 
$sip$***2222*asterisk*REGISTER*sip*192.168.20.130**1522268729/ 
b27f0c3e27b25533a8ae9a41de712696*81aca7938c994d1d93d4abc8007095b5*00000001*auth*MD5*f28aa9d6f10944e06f869333 
7fd3ba19 


Highlight: | 


tet soh 
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SIP Information Gathering : Servers and Proxy 


MÁ Wireshark - Servers and Proxy ? X 


Highlight: 
Ec 
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SIP Information Gathering: Unique Messages 


M Wireshark - Unique Messages ? X 


Message 


| 192.168.20.130 | 


we | st [ax 
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VolPShark: VoIP Attack Detection 


ture Analyze Statistics Telephony Wireless Tools Help 


η € © 9 $ + =. j a € Firewall ACL Rules | 
Lua + 
GE 
APA seu 
Source Destination — — FTO —— — — — — — | : Sequence number Info 
192.168.20.1 192.168.20.130 RTP PR αμ ος T-TTH-T 6.711 


Ill 


| 


in 
> 
les 


G 
192.168.20.130 192.168.20.132 RTP t 8.711 
192.168.20.1 192.168.20.130 RTP T G.711 
192.168.20.130 192.168.20.132 RTP + 6.711 
192.168.20.132 192.168.20.130 RTP T G.711 
192.168.20.130 192.168.20.1 RTP E 6.711 
192.168.20.1 192.168.20.130 RTP T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.711 
192.168.20.132 192.168.20.130 RTP 224 PT=ITU-T G.711 
192.168.20.130 192.168.20.1 RTP 224 PT=ITU-T G.711 
192.168.20.1 192.168.20.130 RTP 224 PT=ITU-T G.711 
192.168.20.130 192.168.20.132 RTP 224 PT=ITU-T G.711 
400 120 η0ω 1929 409 ICO τω 120 DTD 994 DT-TTII-T f; 7441 
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VoIP Attack Detection: Bruteforce 


M Wireshark - Brute Force Y X 
| 5.πο | Attacker Machine | Target Extension | Target Machine | Requests Sent | Failed Attempts | Requests Per second | 
———————————— | 
| 1 | 192.168.20.134 | 1111 | 192.168.20.130 | 7 | 6 | 167.54 | 
———— | 
| 2 | 192.168.20.134 | 2222 | 192.168.20.130 | 9 | 8 | 151.65 | 


rom | sem 
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VoIP Attack Detection: Invite Flooding 


M Wireshark - Invite Flooding 


192.168.20.134 


PentesterAcademy 


Highlight: | 
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Reset 


στη 


VolP Attack Detection: Message Flooding 


M Wireshark - Message Flooding ? X 


S.no | Attacker Machine | Target Machine | Messages Sent 


192.168.20.134 | 192.168.20.130 | 


Highlight: 
"X: 
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VolP Attack Detection: MITM Attempts 


M Wireshark - MITM Attempts ? X 


00:0c:29:9c:2f:3f | 48:0f:cf:4b:06:c9 |48:0f:cf:4b:06:c9| 
| ,48:0f:cf:4b:06:c9 | ,f8:a9:63:4b:c4:4d | 


ut | Sen 


©PentesterAcademy.com 


VoIP Attack Detection: Unauthenticated Users 


M Wireshark - Unauthenticated Users ? X 


Username | Call Destination | 


"T" 
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Q&A 


Github: github.com/pentesteracademy/voipshark 
nishant@attackdefense.com 
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